HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

36,500 Patients of Austin Cancer Centers Notified About PHI Exposure

Austin Cancer Centers is alerting 36,503 patients about a security incident discovered on August 4, 2021 in which some of their protected health information was exposed.

Unauthorized individuals were discovered to have gained access to computer systems and installed malware. To prevent further unauthorized access, computer systems were immediately shut down and law enforcement was notified. Since then, Austin Cancer Centers has worked with cybersecurity experts to learn about the exact nature and scope of the incident. Austin Cancer Centers said the malware has now been removed, systems have been restored and secured, and its facilities are open.

The forensic investigation into the security breach confirmed hackers first gained access to its computer systems on July 21, and access remained possible until the breach was discovered on August 4. A comprehensive review was conducted to identify all files on the network that could possibly have been accessed in the attack. Those files were found to contain patient information such as names, addresses, dates of birth, insurance carrier names, and medical notes. The Social Security numbers of certain patients were also exposed, as were the credit card numbers of a limited number of patients.

Austin Cancer Centers does not believe the attackers had access to its entire network, but the decision was taken to send notifications to 36,500 patients out of an abundance of caution. Since the attackers no longer had access to its network from August 4, new patients who received medical services after that date were definitely not affected.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Austin Cancer Centers said the attackers took steps to avoid detection and hide their activities, which is why it took around two weeks to discover the security breach. Throughout the investigation the priority was to ensure systems were secured and patient data were protected, so notifications were delayed until it was certain that appropriate safety measures were in place.

The exact nature of the malware attack, including whether ransomware was involved, has not been released as the investigation into the security breach is ongoing. Austin Cancer Centers said further information about the incident will be shared with affected individuals via its website when it is deemed appropriate for the information to be released.

Since the breach occurred, Austin Cancer Centers has implemented additional technical safeguards to further enhance security, and rigorous privacy and security training has been provided for the entire staff.

Affected patients have been provided with a complimentary 1-year membership to the Equifax Credit Watch™ Gold credit monitoring service, which includes automatic fraud alerts and cover through a $1,000,000 identity theft insurance policy.

“We are deeply saddened and frustrated by this incident.  Caring for our patients during medically stressful times in their life, is our core business,” said Austin Cancer Center CEO, Laurie East. “We apologize to our family of patients for any concern this may create, and we will do everything we can to remedy the situation and help them through necessary steps to ensure their safety.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.