HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Malware Causes 5,200-Record Data Breach at DC Assisted Living Facility

A malware infection at Westminster Ingleside King Farm Presbyterian Retirement Communities has potentially enabled the attackers to gain access to the protected health information of thousands of its residents.

The Washington D.C., based assisted living facility had implemented a wide range of security solutions to prevent unauthorized access to its systems, although in this instance they were unable to block the attack.

The malware was discovered on November 21, 2017, with rapid action taken to identify all instances of the malware on its network and remove the malicious code to prevent further access. While the malware was successfully removed, assistance was sought from third party experts to determine how the attackers had managed to bypass its security defenses, and whether access to the protected health information of its residents had been gained.

The investigation into the breach highlighted a number of areas where security could be improved to further protect its systems from attack. Ingleside has now implemented a new firewall, upgraded its antimalware and antivirus software, and has adopted two-factor authentication on user accounts. New user credentials have been issued and strong passwords set. Staff have also received additional training to help them identify unauthorized access.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

While no evidence was uncovered to suggest the protected health information of its residents was accessed, it was not possible to rule out data access and data theft with 100% certainty. Consequently, all affected individuals have been notified about the potential breach and, out of an abundance of caution, residents have been offered credit monitoring and identity theft protection services via Kroll for 12 months without charge.

No financial information was compromised as a result of the malware infection, although names, addresses, Social Security numbers, and other protected health information were potentially compromised.

The breach notice submitted to the Department of Health and Human Services’ Office for Civil Rights indicates up to 5,228 residents were impacted by the security breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.