16-Month Malware Infection at Florida Pulmonary & Sleep Medicine Center Impacts 42,000 Patients

AdventHealth Medical Group’s Pulmonary & Sleep Medicine in Tavares, FL, formerly known as Lake Pulmonary Critical Care, has discovered hackers gained access to its systems and may have viewed or obtained the protected health information of up to 42,161 patients.

Hackers first gained access to the Pulmonary & Sleep Medicine center’s systems in August 2017 as a result of the installation of malware. The malware infection was not discovered until December 27, 2018.

The malware was removed and its systems were secured and an investigation was launched to determine the extent of the breach and which patients had been affected.

The investigation revealed the hackers gained access to parts of its system where patients’ protected health information was stored. The information that was potentially accessed included names, addresses, email addresses, telephone numbers, dates of birth, health insurance information, Social Security numbers, medical histories, and the race, gender, weight, and height of patients.

It is unclear how the malware was installed and why it took 16 months to discover the malicious software. AdventHealth has since implemented additional system safeguards to prevent future cyberattacks and has enhanced system audits to ensure that any future breaches are detected more rapidly.

AdventHealth started sending breach notification letters to affected patients on January 25, 2019. All patients whose protected health information was exposed have been offered complimentary credit monitoring, fraud consultation, and identity theft restoration services through Kroll for 12 months. Patients have been advised to monitor their explanation of benefits statements from their insurers for any signs of misuse of their insurance information.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.