HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Central Ohio Urology Group Informs 300K Patients of PHI Theft

Patients of Central Ohio Urology Group whose protected health information was stolen and posted online in August have now been notified of the security breach.

While it is not clear exactly when the hack occurred, the data stolen in the cyberattack were dumped online on August 2, 2016. A wide range of patient data were uploaded to Google Drive by the hackers and were freely accessible. The hackers behind the attack – Pravvy Sector (Pravyi Sektor) – sent out links to the data on Twitter.

The data appeared to have been stolen from an internal server used by Central Ohio Urology Group. Access to the server is understood to have been gained using SQL injection – a technique commonly used by hackers to gain access to web application database servers. At the time it was unclear exactly how many patients had been impacted by the breach, although the stolen data included 401,828 files including images, videos, text files, documents and spreadsheets.

Central Ohio Urology Group has now confirmed that it became aware of the breach on August 2 when the data were posted online. Action was immediately taken to remove the data. According to the breach notice “We contacted law enforcement and had the information removed from the online drive within hours.”

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

An investigation was conducted to determine how access to the data was gained, and all of the stolen files were reviewed to determine how many individuals had been impacted. The breach notification sent to the Department of Health and Human Services’ Office for Civil Rights indicates 300,000 patients were impacted.

The data stolen in the attack included the names of patients, telephone numbers, addresses, email addresses, dates of birth, driver’s license numbers, State ID numbers, Social Security numbers, health plan and health insurance information (including identifiers), patient ID numbers, account information, employment-related information, medical histories, diagnoses, and treatment information.

Central Ohio Urology Group has offered all affected patients a year of complimentary identity theft protection services, and steps have been taken to bolster security to prevent future data breaches. Those measures include a new firewall, network monitoring software, and controls to restrict access to patient data.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.