- Tennessee-based Decatur County General Hospital experienced an EMR security incident when unauthorized software was installed on the server the EMR vendor supports on the organization’s behalf.
Decatur County received a security incident report from its vendor on November 27, 2017, the organization said in an online statement.
“The unauthorized software was installed to generate digital currency, more commonly known as ‘cryptocurrency,’” the hospital explained. “We believe an unauthorized individual remotely accessed the server where the EMR system stores patient information to install the unauthorized software.”
“The software was installed on the system at least as of September 22, 2017, and the EMR vendor replaced the server and operating about four days later,” Decatur County continued.
The OCR data breach reporting tool states that 24,000 individuals may have been affected.
There is no indication that information was accessed or viewed, and it is not likely that health information was the targeted by the individual who installed the software, the hospital explained. It has not yet been verified though that data on the server was not accessed.
Demographic information such as patient names, addresses, dates of birth, and Social Security numbers were on the affected server. Clinical information was also on the server, including diagnosis and treatment information, and other data such as insurance billing information.
Potentially affected individuals will be offered one year of complimentary credit monitoring services, the hospital added.
“Again, our investigation into this incident continues but we do not believe the motivation of any unauthorized access to the EMR server was to access or acquire your information,” Decatur County stated. “We encourage you, however, to exercise caution regarding communications if you receive an unsolicited call or email about this incident.”
Partners Healthcare reports malware attack
An unauthorized third party installed a “sophisticated, malicious computer program” onto Partners HealthCare System, Inc.’s (Partners) computer network, the organization said in an online statement.
The incident occurred on May 8, 2017, but was reportedly not specifically targeting Partners’ environment.
Partners added that its monitoring systems detected the unusual activity immediately, and the organization subsequently blocked the malware. Even so, there may have been unauthorized access to some data on affected computers from May 8, 2017 to May 17, 2017.
Partners said it became aware on July 11, 2017 that personal and health information may have been impacted.
First and last names, date(s) of service, and/or certain limited amounts of clinical information such as procedure type, diagnoses, and/or medications may have been affected. Some patients may also have had their Social Security numbers and financial information involved.
“The impacted data was not in any specific format, and it was mixed in together with computer code, dates, numbers and other data, making it very difficult to read or decipher,” Partners maintained.
“Partners has enhanced its security program, controls and procedures as a result of this incident.”
Boston Business Journal reported that 2,600 individuals may have been impacted.
Business associate phishing incident impacts Mississippi hospital
PHI of some Forrest General Hospital patients may have been affected by a phishing scam that took place at a business associate.
Horne LLP provides certain Medicaid reimbursement services to Forrest General, according to a statement from Horne.
The BA discovered on November 1, 207 that an employee email account was sending phishing emails. An investigation determined that the employee had been the victim of a phishing scam and there had been unauthorized account access from October 31, 2017 to November 1, 2017.
Some of the emails also contained PHI, including some combination of patients’ name, Medicaid identification number, date of birth, patient account number, dates of service and Social Security number.
The OCR data breach reporting tool states that 1,670 individuals may have been impacted.
“HORNE has stringent security measures in place to protect the security of information in its possession,” the statement read. “In addition, as part of its ongoing commitment to the security of protected health information in its care, HORNE is working to implement additional safeguards and security measures to enhance the privacy and security of information on its systems.”
Potentially affected individuals will also be offered one year of free credit monitoring and identity theft resolution services.
Missing external hard drive raises data security issue at EMMC
Eastern Maine Medical Center (EMMC) announced on its website that an external hard drive containing PHI of 660 individuals could not be located.
Patients who underwent cardiac ablation procedures performed at EMMC between January 3, 2011 and December 11, 2017 may have been affected.
Full names, dates of birth, dates of service, medical record numbers, one word condition descriptors, and procedural images were on the hard drive. However, the device did not contain Social Security numbers, addresses, or financial information.
“Eastern Maine Medical helps many patients through private healthcare matters each day. We take our commitment to uphold our patients’ privacy very seriously and are reviewing our processes to strengthen data security,” EMMC President Donna Russell-Cook said in a statement.
Potentially affected patients will receive a notification in the mail and will be offered one year of complimentary identity monitoring services.