Bay Area Children’s Association Notifies Patients of PHI Theft

On April 1, 2016, Bay Area Children’s Association (BACA) was notified that the electronic health records of its patients may have been stolen by hackers. The notice was received from BACA’s electronic health record (EHR) provider which had discovered access to its systems had been gained by unauthorized individuals and malware had been installed.

The EHR provider, which was not named in the breach notice, believes the malware was first installed on its systems in January 2015. Consequently, patients’ health data and personal information could conceivably have been in the hands of criminals for over 15 months.

After being notified of the potential theft of protected health information, BACA contacted it’s EHR provider to find out more about the extent of the breach and the data that could have been accessed.

BACA was informed on April 22, 2016 that there was no way of telling which patients had been affected, and whether data had actually been obtained by the attackers. Consequently, all patients whose data were stored in the EHR have had to be notified of security breach.

The data stored in the system includes names, contact telephone numbers, addresses, dates of birth, Social Security numbers, medical insurance information, and data collected during health visits to BACA. The breach has not yet been uploaded to the HHS’ Office for Civil Rights breach portal so it is not clear exactly how many patients have been affected.

BACA has been informed by its EHR provider that action has been taken to strengthen security, which includes changes to firewalls and network configurations. The EHR provider’s systems have now been secured.

The security breach was reported to the U.S. Attorney’s office and the FBI and Secret Service have been investigating the matter. According to the BACA breach notice, those investigations have been ongoing for several months. That suggests the data breach was discovered a considerable amount of time before the EHR provider’s customers were notified.

It is not clear why notifications were delayed, although oftentimes law enforcement requests delaying the issuing of breach notifications so as not to hamper investigations.

Due to the extent of data exposed, patients have been advised to place 90-day fraud alerts on their accounts. Patients have also been provided with a year of credit monitoring services via AllClear ID without charge.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.