- Editor's note: A previous version of this article incorrectly identified MaineHealth as having experienced a cyber attack.
MaineGeneral Health will be sending out healthcare data breach notification letters to individuals who fell victim to a recent cyberattack, according to a health system press release.
On November 13, MaineGeneral was notified by the FBI that much of its data was on a website not affiliated with the health system. Although the website is not available to the public, this was still a concerning health data security issue.
Upon investigation, MaineGeneral and a third-party forensics team discovered that personal information had been breached for patients who were referred by a treating physician to radiology since 2009. Additionally, some MaineGeneral employee information was breached, as well as personal information for potential donors.
This healthcare data breach could potentially concern patients at all of MaineGeneral’s subsidiary clinics, including MaineGeneral Medical Center, MaineGeneral Rehabilitation and Long Term Care, MaineGeneral Retirement Community, and MaineGeneral Community Care.
At this time, the healthcare data breach has not been recorded in the Office for Civil Rights data breach database. MaineGeneral has also not disclosed how many individuals may have been affected by this breach.
Compromised information includes names, addresses, and telephone numbers. MaineGeneral confirmed that no Social Security numbers, patient medical or health information, health records, driver's license numbers, or financial information had been disclosed.
The incident is reportedly still under investigation, and MaineGeneral and its forensics team will continue their work to determine the details of the incident.
Although MaineGeneral maintains that no financial or credit information had been compromised, it will still offer a one-year subscription to a credit monitoring service. Additionally, the health system has advised its customers to monitor their credit and to obtain a PIN from the IRS so that nobody can fraudulently file tax returns using their information.
Unfortunately, cyberattacks are quite common in the healthcare industry. Cyberattacks have been the main culprit of the largest healthcare data breaches this year, including the Anthem breach, the Premera Blue Cross breach, and the UCLA breach, all of which resulted in millions of individuals’ PHI being disclosed.
In response to this growing threat of cyberattack health data breaches, the Senate recently passed the Cybersecurity Information Sharing Act, which will create a framework for exchanging information regarding cybersecurity threats across the healthcare industry.
Specifically, CISA will allow healthcare professionals to connect with one another via a network dedicated to sharing best practices, experience, and other information about cybersecurity. The ultimate goal of this legislation is to help providers increase their cybersecurity efforts by learning from and exchanging information with their peers.
Additionally, the bill gives more responsibility to the Department of Health and Human Services (HHS), charging them to collect all of this information into a usable format.
According to a public statement by the Senate Health, Education, Labor, and Pensions (HELP) Committee, the committee in the Senate responsible for proposing the bill, this new legislation calls for:
Charges HHS and its subdivisions with naming an official who is responsible for leading the agency’s cybersecurity efforts—to coordinate response and so health organizations will know who is in charge of offering guidance and support;
Requests that the agency issue a report on emerging cyber threats in the healthcare industry, so both the agency and the American public have an accurate picture of the impact of these attacks;
Creates a task force of health industry leaders and cybersecurity experts to identify the biggest challenges in securing against cyber threats and recommend specific solutions to the agency;
Charges the task force to create a central resource to distribute cyber intelligence from the federal government to health care organizations in near real time, so they can rapidly respond to active threats;
Instructs HHS to create a series of best practices for health industry leaders to follow—on a voluntary basis—to help them keep their organization’s data as secure as possible.
As we move into the new year, it is clear that cybersecurity and health data security is still an imminent concern for the healthcare industry. Providers and other industry stakeholders will have to take adequate precautions and make use of resources, such as those offered through CISA, to adequately protect digitally-stored information.