HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Brooklyn Hospital Center Malware Attack Results in Loss of Patients’ Health Records

Brooklyn Hospital Center in New York has announced that a security breach occurred in late July 2019 that resulted in malware being installed on some of the hospital’s servers.

The attack was discovered promptly, and steps were taken to limit the harm caused; however, it was not possible to prevent certain files from being encrypted.

A third-party digital forensics firm was retained to assess the nature and extent of the malware attack and assist with the recovery of encrypted files. On September 4, following ‘exhaustive efforts’ to recover the encrypted files, it was determined that certain patient information was unrecoverable.

Entire medical records have not been lost, but some patients’ dental and cardiac images could not be restored. The hospital is currently conducting a review to determine which patients have been affected and those individuals will be notified in due course. As is often the case with ransomware attacks such as this, the goal of the attackers appears to have been to extort money from the hospital rather than gain access to patient information. No reports of misuse of patient information have been received and the forensic investigation uncovered no evidence to suggest the attackers accessed or exfiltrated patient information.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Brooklyn Hospital Center already had stringent security controls in place to prevent cyberattacks, although in this instance those controls were circumvented by the attackers. Policies, procedures, and existing security protocols are under review and security controls will be enhanced to prevent further breaches of this nature from occurring in the future.

The breach report submitted to the HHS’ Office for Civil Rights indicates up to 26,312 patients have been affected.

Unauthorized PHI Access and Use Discovered by Washington University School of Medicine

Washington University School of Medicine (WUSM) has discovered an employee’s personal laptop computer was used by an unauthorized individual to access a WUSM email account which contained the protected health information of certain patients of the Department of Ophthalmology and Visual Sciences.

The unauthorized individual, who had a personal relationship with the employee, accessed the email account between April 29, 2019 and September 3, 2019. A forensic investigation was conducted by a third-party firm to determine what information was contained in the account and could have been accessed. The investigation revealed information in emails and email attachments included patients’ names, medical record numbers, dates of birth, provider names, and limited treatment and clinical information, such as diagnoses and prescription information. The Social Security numbers and health insurance information of certain patients were also potentially compromised.

It was not possible to determine which emails and attachments had been opened, so the decision was taken to notify all individuals whose protected health information was potentially compromised. Any individual who had their Social Security number exposed has been offered complimentary credit monitoring and identity theft protection services.

The breach came to light on September 3, 2019 following reports that certain patients had been sent a letter about an employee of the Ophthalmology Department. The subsequent investigation led to the discovery of the security breach. It is unclear why those individuals were contacted.

WUSM has since implemented additional security enhancements and has re-educated employees on password best practices.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights’ breach portal, so it is currently unclear how many patients have been affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.