HIPAA Breach at Froedtert Health Exposes 43,000 Patient Records

Milwaukee based healthcare provider, Froedtert Health, has announced that it has suffered a data breach that could potentially have affected up to 43,000 patients as a result of a computer virus which had infected an employee’s PC.

Froedtert Health operates a three-hospital system comprising of the Froedtert Hospital in Milwaukee, St. Joseph’s Hospital in West Bend and Community Memorial Hospital in Menomonee Falls. Patients from all three hospitals have been affected and breach notification letters were sent earlier this week.

The virus was discovered on December 14, 2013 and it is understood that it could potentially have allowed hackers to gain access to the Protected Health Information – and personal identifiers – stored in the employee’s work computer account.

In a statement announcing the breach, Froedtert Health explained that it enlisted the help of a computer forensics company to conduct an investigation to determine the extent of the infection and whether it constituted a HIPAA breach.

The forensics company was unable to establish whether hackers had actually been able view any of the data in the account, but was “unable to definitively rule out the possibility the virus was able to obtain information.”

A spokesperson for Froedtert Health told 12 News that the investigation was initiated soon after the discovery of the virus, but that it took a number of weeks to conduct, which explains the delay in sending out breach notification letters.

The information which was possibly accessed included patient names, phone numbers, addresses, dates of birth, medical insurance details and some clinical information. The Social Security numbers of some patients were also stored in the computer account.

Due to the risk of identity fraud, all affected individuals are advised to monitor their credit closely for a period of two years and to report any suspect activity promptly. Medical identity theft does not usually occur straightaway; there is often a delay before thieves use stolen health information.

In recent months the theft or loss of mobile devices such as portable hard drives and laptop computers has resulted in the health data of millions of Americans being compromised; however computer viruses can be more serious. Computer equipment is often stolen for the value of the hardware rather than the data it contains, yet viruses are often used by hackers to gain access to data and obtain Social Security numbers to commit medical fraud.

Healthcare organizations now face an elevated risk of targeted attacks due to the value of the data they hold on patients, yet many are failing to take the appropriate actions to stop hackers from using viruses to gain access to their computer systems. Many healthcare providers do not routinely scan for viruses in the belief that their software will prevent viruses from being installed.

The Ponemon Institute recently conducted a survey which indicates that as many as 60% of healthcare providers do not conduct regular virus scans on their computers while they are connected, and 89% did not scan for viruses or malware infections before connecting.

It may not be possible to stop hackers from gaining access to healthcare computer systems, but it is essential that procedures are put in place to identify breaches as soon as they occur to limit the damage caused. Regularly checking for computer virus infections is an important to effectively manage risk and HIPAA-covered could be fined for failing to implement this basic security procedure.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.