HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Breach Exposes 31K Records at Central Utah Clinic

The Central Utah Clinic has issued breach notification letters to 31,677 patients advising them that some of their data has been obtained by hackers who broke through the healthcare provider’s security defenses. The Central Utah Clinic is the largest owned independent medical practice in Utah and employs over 170 physicians.

The incident involved one of the hospital system’s servers which was protected by a number of security measures, although in this case they did not prove to be sufficient to prevent a data breach. The server was immediately isolated once the data breach was identified and a forensic investigation was conducted to determine what information was accessed by the hackers and the patients that had been affected.

The investigation determined that only one of the healthcare providers 100+ servers was affected and no evidence was discovered that data had either been viewed or copied by the hackers.

The server did not contain full medical records of patients, although some radiology reports and x-ray images were stored on the server along with patient names, addresses, phone numbers, dates of birth and Social Security numbers. The volume of data stored varied from patient to patient and not all individuals will have had their Social Security numbers exposed.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Scott Barlow, CEO of the CUC, said “Protecting our patients’ information from exposure of any kind beyond what is needed for treatment, and particularly from cybercriminal activity, is a key focus at Central Utah Clinic, and we take full responsibility for this incident,” he also said, “These attacks are an unfortunate aspect of information technology and modern healthcare is not immune from this. It is important to understand there is no indication that any of our patients’ personal information was viewed or copied. Regardless, we are committed to transparency and working with our patients to mitigate possible effects of this occurrence.”

Under the HIPAA Breach Notification Rule, all covered entities must report data breaches to the Department of Health and Human Services’ Office for Civil Rights and patients must be informed of the data breach within 60 days of discovery. CUC has confirmed that the OCR has been notified of the breach and letters are now being dispatched by first class post to all affected patients.

Even though no data appears to have been copied, patients are being offered credit monitoring services to mitigate any damage caused. An advanced technology security firm has also been hired to assist the clinic with improving defenses and preventing future data breaches.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.