Share this article on:
The Central Utah Clinic has issued breach notification letters to 31,677 patients advising them that some of their data has been obtained by hackers who broke through the healthcare provider’s security defenses. The Central Utah Clinic is the largest owned independent medical practice in Utah and employs over 170 physicians.
The incident involved one of the hospital system’s servers which was protected by a number of security measures, although in this case they did not prove to be sufficient to prevent a data breach. The server was immediately isolated once the data breach was identified and a forensic investigation was conducted to determine what information was accessed by the hackers and the patients that had been affected.
The investigation determined that only one of the healthcare providers 100+ servers was affected and no evidence was discovered that data had either been viewed or copied by the hackers.
The server did not contain full medical records of patients, although some radiology reports and x-ray images were stored on the server along with patient names, addresses, phone numbers, dates of birth and Social Security numbers. The volume of data stored varied from patient to patient and not all individuals will have had their Social Security numbers exposed.
Scott Barlow, CEO of the CUC, said “Protecting our patients’ information from exposure of any kind beyond what is needed for treatment, and particularly from cybercriminal activity, is a key focus at Central Utah Clinic, and we take full responsibility for this incident,” he also said, “These attacks are an unfortunate aspect of information technology and modern healthcare is not immune from this. It is important to understand there is no indication that any of our patients’ personal information was viewed or copied. Regardless, we are committed to transparency and working with our patients to mitigate possible effects of this occurrence.”
Under the HIPAA Breach Notification Rule, all covered entities must report data breaches to the Department of Health and Human Services’ Office for Civil Rights and patients must be informed of the data breach within 60 days of discovery. CUC has confirmed that the OCR has been notified of the breach and letters are now being dispatched by first class post to all affected patients.
Even though no data appears to have been copied, patients are being offered credit monitoring services to mitigate any damage caused. An advanced technology security firm has also been hired to assist the clinic with improving defenses and preventing future data breaches.