- About 42,000 AdventHealth Medical Group Pulmonary and Sleep Medicine patients are being notified that their personal and health data was breached for more than a year due to a hack of the Florida provider’s systems.
On December 27,2018, officials discovered a hacker gained access to AdventHealth systems. However, access to those systems began more than 16 months later in August 2017.
The breached data contained troves of personal and health data, including medical histories, insurance carriers, Social Security numbers, along with demographic information like names, phone numbers, email addresses. All patients will receive a year of free identity monitoring services.
AdventHealth has since improved its processes to bolster its auditing and system safeguards, according to officials.
While AdventHealth has already notified the Department of Health and Human Services within the 60-day timeline, officials said all patients impacted by the security incident will be notified by March 10. It’s unclear as to why the deadline will occur 13 days after the HIPAA-required 60 days.
A 16-month breach period is one of the longest reported in the healthcare sector, but AdventHealth is among several providers in recent years to report lapses in detecting unauthorized access. In fact, Protenus’ 2019 Breach Barometer reported several breaches that went undetected for extended periods of time.
Most recently, United Hospital District reported a June 2018 breach, more than six months later. Meanwhile, an email hack on Colorado-based Critical Care, Pulmonary and Sleep Associates compromised emails containing sensitive patient data went undetected for three months.
In January, 112,000 Centerstone Insurance and Financial Services’ plan members were notified that their information was breach during a four-month phishing attack.
Healthcare organizations should employ strong identity management and access control processes and tools to keep track of the users that have access to systems. Further, detection capabilities are crucial to truncating the time between when a breach occurs, and when it’s discovered. This may include network-level, endpoint, and content security detection, along with malware analysis and employee education.