Recent Health Data Breaches Cause EHR Downtime, Deploy Malware
Health data breaches caused by malware and improper data use by employees continue to impact patient care and cause EHR downtime, according to some recent cases.
Source: Getty Images
By Jill McKeon
- Health data breaches continue to plague the healthcare sector, leading to EHR downtime and patient data leaks. While ransomware and phishing are obvious threats to the healthcare sector, instances of employee email and data misuse can be equally dangerous to patient data.
A recent study discovered that on average, nearly 20 percent of files were open to every employee at a given healthcare organization starting on their first day of employment. The research illuminated troubling data security issues and improper protected health information (PHI) controls.
Cyberattack Results in EHR Downtime for IN Clinic
Central Indiana Orthopedics alerted patients to an organization-wide network interruption that began on October 16. At the time of publication, the provider’s network remained offline.
“Out of an abundance of caution, we have taken all of our systems offline to ensure they are clean prior to restoring our network from backups,” a notice on the Central Indiana Orthopedics website explained.
“We have also engaged a third party specialized cybersecurity team of experts to assist with restoration in addition to conducting an investigation to determine how this incident occurred and the overall impact on our information systems.”
READ MORE: Common Misconceptions About HIPAA and COVID-19 Vaccination Status
It is unclear what information was impacted or how many individuals were affected by the breach. EHR downtime often forces care teams to document notes on pen and paper and prevents access to medical history and treatment plans.
“We are working diligently to continue treating scheduled and walk-in patients and we apologize for any inconvenience this may cause.”
Phoenix Children’s Hospital Inadvertently Listed Names of Vaccine-Exempt Staff
Phoenix Children’s Hospital apologized for sending an internal email to 370 employees that inadvertently identified vaccine-exempt employees by name, according to ABC15 Arizona. The email was about the hospital’s COVID-19 safety protocols.
The hospital said that employees on the email distribution list were supposed to be blind carbon-copied (Bcc), which would have hidden their email addresses from other recipients.
"As part of its COVID-19 vaccination program, Phoenix Children’s engaged in an extensive process to evaluate and provide qualified employees with medical and religious exemptions to its vaccination policy,” the hospital explained.
READ MORE: MI Man Sentenced to 7 Years in Prison for UPMC PII Breach
“For those employees who were granted accommodations, we developed appropriate workplace accommodations designed to protect all staff, visitors and our vulnerable patient population.”
This incident will not necessarily be categorized as a HIPAA violation since employers and employees do not adhere to the same constraints as provider and patient relationships.
“Since learning of our administrative error, we immediately informed affected employees of the error, extended our sincere apologies and explained that efforts had been taken to avoid similar mistakes in the future," the hospital concluded.
Former UNC Hospitals Employee Used Patient PII for Personal Gain
UNC Hospitals began notifying 719 patients about a security incident that involved a former employee accessing patient personally identifiable information (PII) for personal financial gain.
UNC Hospitals discovered suspicious activity on September 10, 2021. The employee in question was responsible for handling payments for services rendered by certain UNC Hospitals clinics.
READ MORE: Spoofing, Phishing, Ransomware Continue to Overwhelm Health Systems
“The now former employee had access to patient demographic information including Social Security numbers, as well as copies of patient driver’s licenses and insurance cards,” the notice stated.
“UNC Hospitals has confirmed that this former employee used some patients’ demographic and financial information to fraudulently obtain goods or services.”
Impacted individuals are eligible for one year of free credit monitoring, and the UNC Hospitals Police Department has since launched a criminal investigation.
“UNC Hospitals regrets any concern or inconvenience this incident may cause,” the statement concluded.
“In response to this incident, they have taken action in accordance with policy and reviewed the payment process to ensure internal controls are effective and appropriate.”
Utah Health Plan Suffers Cyberattack
Educators Mutual Insurance Association (EMI Health) in Utah said that an unauthorized individual accessed its network between July 29 and August 10, 2021, and deployed malware. EMI Health discovered the breach on August 23.
The unauthorized actor obtained copies of documents containing member PII, including names, driver’s license numbers, Social Security numbers, addresses, dates of birth, clinical information, and health insurance identification numbers.
EMI Health said it did not believe that members’ full financial account numbers were in the accessed documents. The health plan engaged a computer forensics firm and is currently in the process of reviewing all documents involved.
EMI Health stated that it will mail letters to impacted individuals as soon as possible and urged health plan members to remain vigilant against instances of identity theft.
“We regret any concern or inconvenience this incident may cause. We remain committed to protecting the confidentiality and security of member information,” the statement explained.
“To help prevent something like this from happening again, we are continuing to regularly audit our system for potential unauthorized activity and are implementing enhanced network monitoring tools.”
