538,000 Patients Notified of LifeBridge Health Data Breach

Earlier this month, the Baltimore-based healthcare provider LifeBridge Health announced it had experienced a data breach. A press release about the breach was issued on May 16, although there was no mention of the number of patients impacted. Further information has now been released on the extent of the breach.

On March 18, 2018, LifeBridge Health discovered malware had been installed on a server that hosted the electronic medical record system used by LifeBridge Potomac Professionals and LifeBridge Health’s patient registration and billing systems.

The discovery of malware prompted a through investigation to determine when access to the server was first gained. LifeBridge Health contracted a national computer forensics firm to assist with the investigation with the firm establishing that access to the server was first gained 18 months previously on September 27, 2016.

The types of information stored on the server included patients’ names, dates of birth, addresses, diagnoses, medications prescribed, clinical and treatment information, insurance details, and a limited number of Social Security numbers.

LifeBridge Health has uncovered no evidence to suggest any patients’ protected health information has been misused, but as a precaution, all patients whose Social Security numbers were potentially accessed by the attackers will be offered credit monitoring and identity theft protection services for 12 months without charge.

Because insurance information was exposed, all patients have been advised to carefully check their billing and explanation of benefits statements for any medical services charged but not received. Patients have been advised to report any discrepancies to their insurance carriers as soon as possible.

LifeBridge Health has not disclosed how access to the server was gained, although its response to the incident provides some clues. In its breach notice, the healthcare provider said it has “enhanced the complexity of its password requirements and the security of its system.”

The LifeBridge Health data breach is the second largest healthcare data breach to be reported this year. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights shows 538,127 patients have potentially been impacted.

While this data breach is smaller than the security breach reported by the California Department of Developmental Services (CDDS) in April, it is certainly more serious for the individuals affected.

The CDDS breach, which potentially impacted 582,174 patients, was a burglary and it is questionable whether any PHI was actually viewed or acquired by unauthorized individuals. All electronic equipment taken by the thieves was protected with encryption and no paperwork appeared to have been removed.

While there have been no reports of misuse of data as a result of the LifeBridge Health data breach, the threat actors had access to the server for 18 months before the breach was detected. It is reasonable to assume that during that time the server would have been explored and PHI discovered.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.