HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Hunt Regional Healthcare Revises May 2018 Data Breach Total

Texas-based Hunt Regional Healthcare has discovered a May 2018 cyberattack was much more extensive than previously thought. On May 14, 2019, Hunt Regional was informed by the FBI that its systems had been the subject of a sophisticated, targeted cyberattack in May 2018 and that a small subset of its patients had had their protected health information (PHI) exposed. Those individuals had previously received medical services at Hunt Regional Medical Center.

The PHI was stored in a limited area of the network to which the hackers had gained access and those individuals were notified about the breach in July 2019. A more detailed investigation was then conducted with assistance provided by third-party computer forensics experts, who discovered the hackers had gained access to other parts of the network that were not initially thought to have been compromised.

These additional parts of the network contained the PHI of patients of other facilities in the network: Hunt Regional Medical Center in Greenville, Hunt Regional Emergency Medical Center – Commerce, Hunt Regional Emergency Medical Center – Quinlan, Hunt Regional Home Care, Hunt Regional Lab Solutions, Hunt Regional Open Imaging – Greenville, Hunt Regional Open Imaging – Rockwall, Hunt Regional Outpatient Behavioral Health, Hunt Regional Infusion Center, and Texas Oncology Greenville.

Medical records were potentially compromised which included personal information such as names, contact telephone numbers, dates of birth, race, religious preferences, and Social Security numbers.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

It was not possible to determine exactly which records were accessed or copied by the attackers so the decision was taken to send notification letters to the entire database of patients to make sure all individuals were made aware of the possibility that their information had been compromised. All individuals have been offered credit monitoring and identity theft protection services and through IDCare, which includes a $1 million identity theft insurance policy.

Hunt Regional had implemented appropriate safeguards prior to the attack to prevent the unauthorized accessing of patient information. Assisted by third party cybersecurity professionals, Hunt Regional has implemented further safeguards to strengthen data security.

The initial breach report submitted to the HHS’ Office for Civil Rights in July 2019 indicated 3,700 patients had been affected. The breach summary has yet to be updated with the new total.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.