- Cybersecurity issues continue to plague the healthcare industry, so it should come as no surprise that healthcare hacking and IT incidents account for the majority of large-scale incidents in 2017.
OCR numbers show that four of the five largest reported data breaches all stem from either hacking or an IT incident, with approximately 1.2 million patient records affected.
These reported incidents are all in the OCR data breach reporting tool, which does not necessarily account for all security incidents that have taken place so far in 2017. For example, the WannaCry ransomware attack from May 2017 affected numerous countries, with reports of US medical devices potentially being affected.
Even so, healthcare organizations should take note of these cases to ensure that they make necessary adjustments in their own data security plans.
A phishing scam allowed some Washington University School of Medicine patient data to potentially be accessed, the school reported on its website.
Washington University learned about the incident on January 24, 2017, but the employee responded to the phishing attack on December 2, 2016.
“To help prevent such incidents in the future, we are reinforcing education with our staff and faculty of existing protocols and university resources regarding ‘phishing’ emails,” Washington University stated. “We also are reviewing enhancements to strengthen our business practices and user login authentication process.”
The accessed employee email accounts may have included names, birth dates, medical record numbers, diagnosis and treatment information, other clinical information, and Social Security numbers in some cases.
OCR stated that 80,270 individuals may have been affected.
Indiana-based VisionQuest Eyecare announced on its website that it discovered a cyber attack on its network on January 22, 2017.
Information that was potentially compromised included patient names, addresses, phone numbers, dates of birth, Social Security numbers, health or vision insurance information, medical claims data and clinical information (Private Health Information), according to VisionQuest.
OCR reported that 85,995 individuals may have had their information involved in the incident.
“Since this discovery, it has been our highest priority to further secure our network and data,” the statement explained. “We have invested in multiple technology solutions in order to mitigate further risk of a data breach.”
VisionQuest urged individuals to place a freeze on their credit accounts to prevent potential fraudulent activity. However, the organization said there was no evidence that any data was actually compromised.
Harrisburg Gastroenterology and the Harrisburg Endoscopy and Surgery Center reported that it was determined on March 17, 2017 an unauthorized individual may have viewed patient information.
Possibly affected patient information included names, demographic information, Social Security numbers and health insurance information, according to the notification letter.
“To date, we have no evidence that any patient information has been misused, nor do we have any reason to believe that the information will be misused in the future,” the letter read. “However, as a precaution, we wanted to notify you regarding this incident and assure you that we take it very seriously.”
For Harrisburg Gastroenterology Ltd, 93,323 individuals may have been affected, according to OCR. Harrisburg Endoscopy and Surgery Center had 9,092 patients possibly impacted by the incident.
Potentially affected individuals were also offered a complimentary one-year membership in identity protection services.
“To help prevent a similar incident from occurring in the future, we are enhancing our existing security measures relating to protection of patient information,” the notification letter explained.
Texas-based Urology Austin reported earlier this year that it experienced a ransomware attack on January 22, 2017. The organization explained on its website that it became aware of the incident within minutes of the attack, shut down its computer network, and started an investigation.
“We also began to take steps to restore the impacted data and our operations,” Urology Austin explained. “Through our investigation, we determined that some patient information was impacted by the ransomware.”
Potentially affected information included patient names, addresses, dates of birth, Social Security numbers, and medical information.
OCR reported that 279,663 individuals may have been affected.
A Urology Austin representative told local news station KXAN that the organization did not pay the ransom and was able to restore patient information from a backup.
“We take the security of our patients’ information very seriously and we have taken steps to prevent a similar event from occurring in the future, including strengthening our security measures and ensuring that our networks and systems are now secure,” Urology Austin stated.
Commonwealth Health Corporation is the parent company for Kentucky-based Med Center Health, which reported that a former employee accessed certain patient billing information without authorization.
That individual “obtained certain billing information by creating the appearance that they needed the information to carry out their job duties for Med Center Health” on two separate occasions, the organization explained.
“The evidence we have gathered to date suggests that the former employee intended to use these records to assist in the development of a computer-based tool for an outside business interest which had never been disclosed to Med Center Health officials,” Med Center Health explained in its letter, signed by CEO Connie Smith.
In August 2014 and February 2015, the employee used an encrypted CD and encrypted USB drive. However, the individual did not have any work-related reason to access the information.
The billing information included patient names, addresses, Social Security numbers, health insurance information, diagnoses and procedure codes, and charges for medical services. Medical records were not affected, according to Med Center Health.
OCR stated that 697,800 individuals may have had their data impacted.
Only certain patients who had been treated at The Medical Center Bowling Green, The Medical Center Scottsville, The Medical Center Franklin, Commonwealth Regional Specialty Hospital, Cal Turner Rehab and Specialty Care and Medical Center EMS between 2011 and 2014 may have been affected.
“We sincerely apologize for any concern and inconvenience this incident may cause you,” Med Center Health stated. “We continue to review the incident and to take steps aimed at preventing similar actions in the future. Those actions include re-enforcing education with our staff regarding our strict policies and procedures in maintaining the confidentiality of patient information.”