Bizmatics Data Breach Victim Count Rises to Almost 177,000

Two further healthcare providers have reported security breaches that have potentially exposed patients’ protected health information, both of which have links to the Bizmatics data breach discovered in December 2015.

The Vein Doctor, a Liberty MO-based provider of treatment services for varicose and spider veins, recently submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights indicating 3,000 patients had been affected by a network server and EMR hack.

A breach notice has not appeared on the healthcare provider’s website at the time of posting, and it is unclear how much protected health information was exposed in the cyberattack. However, the breach does appear to be linked to Bizmatics. The Vein Doctor uses the PrognoCIS EMR tool developed and maintained by Bizmatics. Other healthcare providers impacted by the Bizmatics breach also used the PrognoCIS tool.

Grace Primary Care P.C., also reported a data breach to the OCR which was similarly caused by the hacking of a network server. The breach report, submitted to the OCR on June 7, 2016., indicates the PHI of 6,853 patients was potentially exposed. Grace Primary Care also uses the PrognoCIS tool for its patient portal, and is another likely victim of the Bizmatics data breach.

Bizmatics conducted an investigation following the discovery of malware on its servers in December 2015. The EMR provider enlisted the services of a third party computer forensics firm to assist with the breach analysis. The investigation determined that the malware was most likely loaded onto the company’s server in early 2015. The malware potentially allowed attackers to gain access to PrognoCIS data stored on the server.

Bizmatics was able to identify the clients that were likely affected and issued notifications to those companies advising them which data elements were likely exposed. However, in the majority of cases it was not possible to determine whether patient data were actually viewed or copied by the attackers but this could not be ruled out.

Each healthcare provider affected by the breach has notified its own patients of a potential privacy violation and has submitted a breach report to the OCR. The company worst hit by the breach appears to be the Southeast Eye Institute, doing business as Eye Associates of Pinellas. 87,317 of its patients were impacted by BIzmatics data breach.

Other healthcare providers known to be affected by the Bizmatics data breach include the California Health and Longevity Institute (4,386), ENT and Allergy Center (16,200), Integrated Health Solutions PC (19,776), Lafayette Pain Care P.C. (7,500), Pain Treatment Centers of America (19,397), Vincent Vein Center (2,250), and the North Ottawa Community Health System (20,000). Other healthcare providers may also have been affected.

In total, more than 176,800 healthcare patients have been confirmed as having been affected by the Bizmatics data breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.