HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Institute for Women’s Health Hacked: PHI Potentially Compromised

Ransomware attacks on healthcare organizations have increased, although that is far from the only malware threat. Keylogging malware can be used to obtain sensitive information such as login credentials, or in the case of the San Antonio Institute for Women’s Health (IFWH), credit and debit card information as it was entered into its system.

The keylogging malware was discovered on the IFWH network on July 6, 2017, prompting a forensic investigation of its systems. That investigation revealed the malware had been installed on June 5, although it took until July 11 for the malware to be removed from the majority of its systems and a further two days for IFWH to confirm that the malware had been completely removed from all terminal servers and workstations.

During the time that the malware was present, it recorded and transmitted sensitive data as information was entered into its system. The types of data recorded by the malware between June 5 and July 11 includes names, dates of birth, addresses, Social Security numbers, scheduling notes, current procedural technology and other billing codes and other information that was entered into its system between those dates.

Any patient that paid for medical services using a credit or debit card between the above dates may have had their card data captured by the malware. IFWH said the incident was limited to information entered internally via keyboards. Data entered into its patient portal was not obtained by the hackers.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The Department of Health and Human Services has been informed of the breach and the incident has been reported to the Federal Bureau of Investigation. All patients impacted by the incident have now been notified of the breach by mail and have been offered identity theft protection services via ID Experts MyIDCare program. Patients will also benefit from 12 months of credit monitoring services and protection with a $1,000,000 insurance reimbursement policy.

Since credit card details were obtained, patients have been requested to contact their credit card companies and work with them to resolve any fraud issues and secure their accounts.

IFWH issued a statement confirming layered security defenses had been implemented prior to the malware attack, but those controls failed to prevent the virus from being installed. Those measures included network filtering and security monitoring solutions, firewalls, antivirus solutions and password protection. The malware attack has prompted IFWH to bolster its defenses to prevent further breaches, including enhancing data security on its web server infrastructure.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.