Metro Health System HIPAA Breach: Malware Claims 981 Victims

The MetroHealth System has announced it has suffered a HIPAA breach after malware was discovered on three of its computers. 981 medical records of patients who received cardiac catheterizations were potentially compromised in the attack.

The MetroHealth System, a county operated non-profit healthcare provider based in Cleveland, Ohio, discovered on March 17 that malware had infected three Cardiac Cath Lab computers. The malicious software was removed the following day on March, 18.

MetroHealth initiated an immediate investigation into the malware infection and potential data breach to determine how the software had been installed, the extent to which data had been compromised, the patients who had been affected and whether any data had actually been viewed or copied.

While the malware was initially thought to have been successfully removed, the forensic investigation revealed the highly sophisticated nature of the software. Some days into the investigation, it was discovered that in addition to the malware, a back door had been created allowing the creator of the software full access to the affected machines. That back door remained open until March 21, three days after the malware was removed.

8 Month Data Breach Uncovered

After analyzing the affected computers it was determined by investigators that the malware was installed on the computers on July 14, 2014. This was made possible because an employee of an unnamed Business Associate had disabled anti-virus software on the computers while performing a software upgrade, and failed to reactivate it after the upgrade was completed.

The HIPAA breach only affects patients who have visited a Metro Health System hospital and had heart catheterization procedures performed in the past year. No financial information or Social Security numbers are reported to have been exposed in the data breach, although some Protected Health Information (PHI) and Personally Identifiable Information (PII) was compromised.

PHI and PII of 981 Patients Compromised

The data exposed includes patient names, height, weight, dates of birth, the treatments performed, medications prescribed during the procedure and medical information such as oxygen saturation levels and EKG tracings. Medical record and case numbers were also present in the data.

Following any breach of confidential data it is essential that the victims take precautions to protect their credit and identities. All affected individuals are in the process of being notified of the breach and have been advised to monitor Explanation of Benefits statements and obtain credit reports as a precaution. There is no indication at this stage that credit monitoring services are being offered.

In response to the breach, the healthcare provider will be strengthening its cyber security measures to prevent future breaches. These measures include conducting malware scans more frequently, monitoring anti-virus updates closely as well as amending the company’s procedures for computer software upgrades in its Cath labs.

Security Systems Must be Routinely Monitored

The data breach highlights the importance of monitoring cyber security defenses, and also conducting routine scans to detect security breaches. Firewalls and antivirus software can easily be disabled by employees so a system should be in place to regularly monitor defenses. One response to a phishing email is all it takes for access to computers and email accounts to be obtained.

It is therefore essential that automatic system of monitoring firewalls and antivirus software is implemented, that alerts are monitored and regular malware/virus scans performed on all computers used to access, store or transmit PHI.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.