New York Surgery & Endoscopy Center Discovers 135,000-Record Data Breach

A malware infection at St. Peter’s Surgery & Endoscopy Center in New York has potentially allowed hackers to gain access to the medical records of almost 135,000 patients.

This is the second largest healthcare data breach of 2018, the largest to hit New York state since the 3,466,120-record data breach at Newkirk Products, Inc. in August 2016, and the fifth largest healthcare data breach in New York since the Department of Health and Human Services’ Office for Civil Rights started publishing data breach summaries in October 2009.

The data breach at St. Peter’s Surgery & Endoscopy Center was discovered on January 8, 2018: The same day as hackers gained access to its server. The rapid detection of the malware limited the time the hackers had access to the server and potentially prevented patients’ data from being viewed or copied. However, while no evidence of data access or data theft was discovered, it was not possible to rule either out with a high degree of certainty.

In its substitute branch notice, St. Peter’s Surgery & Endoscopy Center says the servers it uses are separate from St. Peter’s Hospital and Albany Gastroenterology Consultants. Protected health information held by those medical centers was not compromised as a result of the malware infection. Only patients who have previously visited St. Peter’s Surgery & Endoscopy Center for medical treatment have potentially been affected. Letters to affected patients were mailed on February 28, 2018 and the incident has been reported to the HHS’ Office for Civil Rights.

The information potentially accessed/copied was limited to patients’ names, addresses, dates of birth, dates of service, diagnosis codes, procedure codes, and insurance information. Some patients also had Medicare information exposed. Patients without Medicare did not have their social security numbers exposed and no patients’ banking or credit/debit card numbers were exposed.

Patients whose Medicare information was exposed have been offered one year of credit monitoring and identity theft protection services without charge “out of an abundance of caution” and all patients have been advised to check their health insurance statements carefully for any sign of fraudulent use of their information.

No information has been released on the exact nature of the security breach, such as how the hackers gained access to the server to install malware. St. Peter’s Surgery & Endoscopy Center said action is being taken to bolster security, which includes further staff training. The purchase of additional – and more elaborate – anti-virus and anti-malware solutions is also being evaluated.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 134,512 patients were impacted

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.