- St. Louis, Missouri-based SSM Health recently reported that it experienced a potential data breach after an employee accessed patient records without authorization.
The access occurred between February 13, 2017 and October 20, 2017 when the employee was working in the customer service call center, according to SSM Health. At the time, the employee had PHI access to perform regular job functions.
SSM Health stated that it launched an internal investigation on October 30, 2017 but did not explain how the organization knew to start an investigation into potentially illegal activities.
“It appears that although the former employee accessed patient information from multiple states, the focus of his illegal activities involved the medical records of a small number of patients with a controlled substance prescription and a primary care physician within the St. Louis area,” SSM Health said. “Out of an abundance of caution, SSM Health is notifying all 29,000 patients whose records were accessed by this individual, even if the access may have been for legitimate job functions.”
The employee had access to “demographic and various types of clinical information,” but did not have access to financial data such as credit or debit card numbers.
Since the incident, SSM Health said it now requires an additional identifier when patients request prescription refills from the call center. The organization is also “reviewing internal policies and procedures, and further strengthening employee access monitoring tools.”
SSM Health will also be offering potentially affected patients complimentary identity theft protection services upon request.
Patient data possibly accessible on cloud storage option
Emory Healthcare (EHC) announced that patient information may have been accessible through a Microsoft Office 365 OneDrive Account. A former employee took the files when departing EHC and placed them on the account at University of Arizona (UA) College of Medicine.
“Based on information disclosed to us by the UA from their investigation, it is our understanding that the information may have been accessible to individuals that were set up with a specific type of UA e-mail account, but there is no indication that the information was accessed or used in any way while on the OneDrive Account,” EHC explained. “EHC has no reason to believe patient information was actually viewed by anyone outside of EHC other than former EHC physicians who now work for the UA, limited UA staff and those at UA investigating this incident.”
Patients who received radiology services at EHC from 2004 to 2014 were likely to have their information in the files, the statement read. This includes patients’ names, and in some cases dates of birth, dates of service at EHC, provider names, medical record numbers, diagnostic/treatment information and treatment locations.
Social Security numbers, drivers’ license numbers, addresses, phone numbers, credit card information or any financial information were not involved.
The OCR data breach reporting tool states that 24,000 individuals may have been impacted.
It was against EHC policy for the physician to take the information upon leaving the organization, EHC maintained. Going forward, EHC said it is reviewing its policies and will ensure that security measures are current. It will also enhance “patient care team education programs to help prevent something like this from happening in the future.”
NY facility faces EHR downtime following cyber attack
Jones Memorial Hospital was facing EHR downtime as of January 2, 2017 after it experienced a cyberattack, according to an online statement.
The provider said it is working with its EMR systems vendor Meditech and IT professionals from the University of Rochester, Noyes, and St. James hospitals for full system restorations.
JMH patients were urged to “bring their insurance card, their complete medications list, and any available medical history with them to any visits.”
“We have continued to provide high-quality care throughout this event, using the standard computer downtime procedures we regularly train and prepare for,” JMH stated. “These include manually entering information into patient medical charts while some of our systems are off-line.”
No patient financial information or medical data has been compromised to the extent of JMH’s knowledge, and the incident is “isolated to Jones Memorial Hospital's computer systems.”
Potential ransomware attack hits Longs Peak Family Practice
Longs Peak Family Practice, PC (LPFP) recently reported that it experienced a potential ransomware attack on November 5, 2017. While attempting to secure the network from a hacker, the organization said malicious code was executed within the network.
Certain files were encrypted on LPFP computers, but the organization was able to use a separate secure backup of patient files to rebuild and restore the network.
“On November 10, after discovering a second hack into the network that did not involve ransomware, LPFP immediately hired a leading firm with forensic computer expertise to assist in the investigation to identify any malware and further investigate any unauthorized access that may have occurred because of the hacking activity,” LPFP stated. “LPFP’s forensic investigation concluded on December 5. Although there was no specific evidence that any data including our patients’ health information was removed or accessed from our network, there was evidence of unauthorized access to some parts of our computer system on November 5, 9 and 10.”
The organization added that there was no evidence of patient files being opened. However, LPFP said it could not guarantee that health information was not compromised because some of the installed software “could have been used to download computer files and some files were encrypted.”
Information that may have been accessed includes full names, LPFP’s patient ID numbers, dates of birth, addresses, phone numbers, email addresses, Social Security numbers, insurance carriers, insurance payment codes with associated costs, driver’s licenses, dates of services, clinical information including medical conditions, diagnoses, medications, labs and diagnostic studies, and copies of notes or reports by LPFP or other healthcare providers.
“Because of this incident, we have made changes to how our network may be accessed,” LPFP explained. “We have upgraded our system in consultation with seasoned IT professionals, including the purchase of a new enhanced firewall, and are further analyzing the tools and procedures we use to monitor and attempt to block malicious attempts to hack into our network.”
LPFP has also reanalyzed its network and policies and is “reinforcing and providing additional privacy and security training to” all staff members. The organization will also offer complimentary identity protection services for 12 months.
The statement did not specify how many individuals may have been impacted.