IL Provider Faces Healthcare Data Breach, 171K Patients Exposed

August 31, 2021 - Metro Infectious Disease Consultants (MIDC) began notifying individuals of a healthcare data breach that may have exposed the personally identifiable information (PII) and protected health information (PHI) of over 171,000 patients. The breach occurred on June 24, when an unauthorized third party gained access to employee email accounts.

MIDC stated that it had no reason to believe that the unauthorized party viewed or acquired any personal information, but the accessed email accounts did contain PII or PHI. The email accounts contained Social Security numbers, driver’s license numbers, addresses, birthdates, account numbers, insurance information, prescription information, and limited clinical information in some cases.

“Upon learning of the incident, MIDC promptly contained the incident by securing the email accounts to prevent further access. It also engaged a forensic security firm to investigate and confirm the security of its email and computer systems, and is analyzing potential, additional security enhancements,” the statement explained.  

“MIDC is notifying all potentially impacted individuals for whom it has a valid mailing address and has arranged for complimentary identity protection and credit monitoring services for those individuals whose Social Security numbers or driver’s license numbers were impacted.”

MIDC consists of over 100 infectious disease physicians with locations in Illinois, Alabama, Arizona, Georgia, Michigan, Missouri, and Kansas.

All impacted patients will receive information on protecting themselves against fraud and identity theft. MIDC recommended that patients be wary of any suspicious activity on their credit reports, benefit statements, and account statements. The provider also set up a designated phone line for questions about the breach.

The MIDC breach follows a newly observed trend in healthcare data breaches. Recent research indicates that hackers are shifting their focus from major hospital systems to smaller outpatient facilities. A recent cyberattack on another outpatient facility, Indiana-based CarePointe ENT, may have compromised the PHI and PII of 48,000 individuals.

A new report conducted by Critical Insight also revealed that business associates accounted for 43 percent of all healthcare data breaches in the first half of 2021.

“The causes of breaches at third-party vendors can run the gamut, ranging from poor access controls that fail to prevent vendors from seeing restricted data to phishing attacks,” the report explained.

“As these and other third-party breaches continue to make the news, it demonstrates that attackers are paying more attention to this ecosystem of vendors as a vulnerable link in the cybersecurity chain.”

While big hospital systems have lots of data and resources that are enticing to hackers, smaller facilities and business associates may be easier to infiltrate. Larger hospital systems are on high alert for the likely occurrence of a data breach, and many have implemented safeguards accordingly.

As a result, it is becoming more lucrative for hackers to target multiple small facilities with fewer cybersecurity protections rather than one big hospital system that may already be prepared to face a cyberattack.

Keeping computers patched, diversifying networks, and implementing organization-wide cybersecurity training are crucial to preventing cyberattacks and ensuring the safety of patient and employee data.