Hack Discovered by Emergence Health Network: 11K Records Exposed
Emergence Health Network has discovered one of its network servers has been accessed by a third party without authorization. 11,000 patient records have potentially been compromised.
The incident came to light when suspicious activity was noticed on one of the healthcare provider’s servers. The activity was investigated and it was determined that an external party had gained access via the internet. The breach investigation revealed that highly sensitive data may have been accessed by the third party, which included patient names, dates of birth, addresses, case numbers and Social Security numbers, in addition to the name of the center where medical services were provided to patients. No medical data were compromised at any point as this information was not stored on the server. Access to the EHR system or other parts of the network was not gained.
After hiring a third party security expert to investigate the extent of the data breach, it was discovered that the first time data on the server were accessed by an unauthorized individual was in 2012.
Because Social Security numbers and personally identifiable information were potentially accessed by the intruder(s), there is a risk that the information has been used inappropriately. Since data was first accessed in 2012, the perpetrator potentially had a long time in order to use any data that were obtained; however, Emergence Health Network has not uncovered any evidence to suggest this was the case.
Patients have been advised to contact each of the three credit reference agencies to obtain credit reports, and patients have been advised to check those reports carefully and look for any sign of fraudulent activity. Emergence Health Network suggests patients should place fraud alerts on credit reports to ensure than any incidences of fraud are quickly identified, should any information be used inappropriately in the future.
However, the substitute breach notice placed on the healthcare provider’s website does not indicate any individuals will be offered credit monitoring, identity theft protection or fraud resolution services. An apology has been issued telling patients “We are sorry for any inconvenience this incident may have caused you. EHN is doing everything we can to fix this and not have it happen again.”
HIPAA Security Rule and Internal Audits of Equipment Containing PHI
It is not clear in this case why it took so long for Emergence Health Network to discover its server had been infiltrated. The Security Rule technical safeguards require covered entities to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” However, it should be noted that there is no stipulation as to how often audits of internal systems should be conducted. That is left to the covered entity to decide when audits and analyses of systems are appropriate.
The Department of Health and Human Services’ Office for Civil Rights investigates all data breaches that expose more than 500 patient records. Each incident is investigated to determine whether data breaches could have realistically been prevented, and whether it would have been reasonable, under the circumstance, to have expected the covered entity to have put controls in place to ensure PHI was secured.
Not all data breaches can realistically be prevented, and the OCR understands this, especially in the case of hacking incidents. However, it is in a covered entity’s area of control to ensure that data breaches are rapidly identified when they do occur.
This incident should therefore serve as a reminder to all covered entities of the importance of conducting periodic audits to assess for network infiltration that has somehow bypassed security controls. If a security breach is discovered promptly, the damage caused can be severely limited.