HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Major Data Exfiltration Discovered at Muhlenberg Community Hospital

Patient, employee, and contractor data have potentially been obtained by unknown third parties as a result of a multi-computer malware infection at Owensboro Health Muhlenberg Community Hospital, KY. According to the breach notice submitted to the Office for Civil Rights, 84,681 individual have been affected by the cyberattack.

The security breach was discovered by the FBI after unusual third party network activity was noticed on the hospital’s servers. An alert was issued on September 16, 2015, and the hospital immediately brought in external computer forensics experts to determine the cause of the activity. That investigation revealed a number of computers had been infected with a type of malware that logs all keystrokes on the affected computers.

This type of malware then communicates those keystrokes to the hacker’s command and control server. All data entered on the infected computers have therefore potentially be transmitted to the hacker(s) responsible for the attack.  The suspicious network activity was only recently discovered, but the investigation revealed that the computers may have been infected with the keylogging malware as early as January, 2012.

Investigations into the security breach are ongoing and the hospital will continue to assist the FBI with its investigation; however, the task of determining which information was entered on the computers, and the patients affected is virtually impossible.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Not all of the computers used by the hospital were infected with the malware. The number of computers has not been disclosed, although the breach notice issued by the hospital indicates only “a limited number” were affected.

The task of analyzing the security breach is so complex that the hospital has had little option but to issue breach notices to all patients advising them that their data may have been compromised. Patients may have had highly sensitive information transmitted to the hacker(s) responsible for the attack, including names, telephone numbers, addresses, dates of birth, insurance information, Social Security numbers, employment details, payment card information, driver’s license numbers, state ID numbers, as well as health information including diagnosis and treatment data.

The extent of the data breach is considerable, and providers and employees may also have been affected. In the case of the former the data may have included State License numbers, Drug Administration numbers, and National Provider Identifiers. Login credentials of providers, contractors, and employees may also have been compromised.

Any individual who used one of the infected computers could have had all entered data logged and exfiltrated. It is also possible that individuals who have connected to the hospital’s Wi-Fi network may have had their login credentials compromised.

The risk to all affected individuals is considerable, although to date the hospital has not been notified of any potential cases of identity theft or fraud. As a precaution, all individuals affected by the security breach are being offered credit monitoring services for a period of 12 months without charge. Due to wide range of data that have been exposed, all patients have been advised to monitor their credit statements closely for signs of fraudulent activity. Explanation of Benefits statements must also be checked as insurance data have been exposed.

The hospital took immediate action following the discovery of the security breach to prevent further data from being exfiltrated, and the malware has now been removed from all computers.  Additional security measures are now being implemented to prevent further attacks from taking place.

Typically, malware is installed as a result of infected email attachments being opened. Phishing campaigns convince users to download malware, and malicious websites could similarly do the same. Malicious links posted on social media networks may be involved, or the malware may have been installed via USB drives. At this point in time it is not clear exactly how the malware was installed.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.