25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

PHI of 320,000 Patients Potentially Compromised in EHR Vendor Hacking Incident

Posted By on Nov 8, 2021

QRS Inc, a Tennessee-based healthcare technology services company and provider of the Paradigm practice management and electronic health records (EHR) solution, has announced a HIPAA compliance data breach involving the protected health information (PHI) of almost 320,000 individuals. The cyberattack was detected on August 26, 2021, three days after a server was breached.

QRS explained in its breach notification letters that a hacker gained access to the electronic patient portal and potentially accessed and exfiltrated the PHI of patients of some of its healthcare provider clients.

When the breach was detected, the compromised server was immediately taken offline to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the attack.

Assisted by a third-party computer forensics firm, QRS determined the breach was limited to a single server. No other QRS systems nor those of its clients were affected. The compromised server contained files that included PHI such as names, addresses, dates of birth, Social Security numbers, patient identification numbers, portal usernames, and medical treatment and diagnosis information.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

QRS said unauthorized access and data exfiltration could not be ruled out, but it is not aware of any cases of actual or attempted misuse of patient data.

On October 22, 2021, QRS started sending notification letters to all affected individuals on behalf of its affected healthcare provider clients. Individuals who had their Social Security number exposed have been offered complimentary access to identity theft protection services as a precaution. QRS said it is taking steps to assess and address the risk of a similar incident occurring in the future.

Law enforcement has been notified and the breach has been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). The OCR breach portal indicates the PHI of up to 319,778 individuals was stored on the compromised server.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist