- Hacking and IT security issues, including phishing scams and ransomware attacks, are still the leading causes for the largest health data breaches in 2017, according to data from OCR.
The three largest incidents thus far – two of which are classified as either hacking or an IT incident – have also potentially impacted 1,497,800 individuals.
No healthcare provider can ensure that a data breach will never take place, but these incidents further show why organizations need to take the time to regularly review their physical, technical, and administrative safeguards. Comprehensive employee training is also critical, especially with ransomware attacks on the rise.
Entities of all sizes need to feel confident that staff members can potentially recognize an attack, and report it to the proper authorities instead of clicking on or opening a malicious link or email.
A virus at Women’s Healthcare Group of Pennsylvania blocked access to system files, and may have allowed external hackers to gain access to its systems as early as January of 2017 via a security vulnerability.
Officials said that a limited amount of patient information may have been accessed, but that the organization was able to restore encrypted files from a backup server. There were 300,000 individuals possibly affected, according to the OCR data breach reporting tool.
Potentially accessed information included patient names, addresses, dates of birth, Social Security numbers, blood types, race, employers, insurance information, diagnoses, and physician names.
“Although this security vulnerability allowed access to limited patient information and the virus encrypted certain files, we have been unable to determine if any specific information was actually acquired or viewed in connection with this incident,” Women’s Healthcare Group said in a statement. “In addition, the encrypted files were promptly restored from our back-up server and the incident had no effect on our ability to continue to provide patient care nor was any information lost.”
The organization added that it would be “conducting a comprehensive internal review” of its information security practices and procedures to help prevent similar incidents from happening.
Airway Oxygen reported in June 2017 that it had been affected by a ransomware attack on April 18, 2017. The ransomware tried to prevent the medical equipment supply company from accessing its own data, the online statement read.
The OCR data breach reporting tool stated that 500,000 individuals may have been affected by the incident.
“Since learning of the incident, we immediately took steps to secure our internal systems against further intrusion, including by scanning the entire internal system, changing passwords for users, vendor accounts and applications, conducting a firewall review, updating and deploying security tools, and installing software to monitor and issue alerts as to suspicious firewall log activity,” explained the statement, which was signed by Airway Oxygen President Stephen Nyhuis.
Full names, home addresses, dates of birth, telephone numbers, diagnoses, types of services provided, and health insurance policy numbers may have been involved, Airway said. However, bank account numbers, debit or credit card numbers, and Social Security numbers were not affected.
“We take the security of those with whom we work and their data very seriously and our team is working diligently to ensure breaches of this type do not happen in the future,” Airway said.
The largest reported incident of 2017 so far took place at Kentucky-based Med Center Health, which falls under the Commonwealth Health Corporation umbrella.
Med Center Health announced earlier this year that a former employee accessed certain patient billing information without authorization.
OCR reported that 697,800 individuals may have had their data impacted.
“The evidence we have gathered to date suggests that the former employee intended to use these records to assist in the development of a computer-based tool for an outside business interest which had never been disclosed to Med Center Health officials,” Med Center Health explained in its letter, signed by CEO Connie Smith.
Patient medical records were not accessed, but the billing information involved included patient names, addresses, Social Security numbers, health insurance information, diagnoses and procedure codes, and charges for medical services.
Furthermore, only patients who had been treated at The Medical Center Bowling Green, The Medical Center Scottsville, The Medical Center Franklin, Commonwealth Regional Specialty Hospital, Cal Turner Rehab and Specialty Care and Medical Center EMS between 2011 and 2014 may have been affected.
“We sincerely apologize for any concern and inconvenience this incident may cause you,” the letter stated. “We continue to review the incident and to take steps aimed at preventing similar actions in the future. Those actions include re-enforcing education with our staff regarding our strict policies and procedures in maintaining the confidentiality of patient information.”