HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Onsite Health Diagnostics Hack Exposes 60K-Patient Records

Hackers have infiltrated a decommissioned network server at healthcare Business Associate, Onsite Health Diagnostics (OHD), and gained access to patient records for a period of three months before the intrusion was detected.

OHD is a Dallas-based subcontractor for providing medical testing and screening services under a wellness plan run by Healthways for the state of Tennessee. The company holds tens of thousands of protected health records.

On January 4, 2014, hackers gained access to an old network server containing patient records which included names, addresses, phone numbers, email addresses and gender. No Social Security numbers or healthcare data was present on the server.

The intrusion was detected by OHD on April 11, 2014 and an investigation was immediately launched which established that 60,582 records were potentially viewed and copied by the hacker. The investigation was conducted by an external IT security and computer forensics company.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The firm determined that the data related to individuals who took part in wellness screenings in 2013 under Tennessee’s State Insurance Plan, Local Government Insurance Plan and a Local Education Insurance plan.

A breach notice was issued to the media in which it was confirmed that approximately one in five state workers were affected by the breach. Notification letters will be sent to all affected advising them of the security incident in due course. Patients will be offered a year of credit monitoring services free of charge, although at this stage it does not appear that the data has been used for fraudulent purposes.

Healthcare Industry Under Attack

Business Associates are now covered under HIPAA and can be held accountable for data breaches exposing Protected Health Information. The fines for HIPAA violations can rise to $1.5 million for each violation category and the Department of Health and Human Services’ Office for Civil Rights monitors breach reports and conducts investigations in cases where data breaches appear to have resulted from violations of HIPAA Rules. It is not clear at this stage whether Onsite Health Diagnostics implemented the appropriate safeguards to protect the server as required by the HIPAA Security Rule.

Healthcare providers and their business associates must ensure that all servers – whether new or old – have appropriate protections in place to safeguard PHI. The healthcare industry is currently being targeted by hackers and only last month the Montana Department of Public Health and Human Services was hacked, exposing over 1 million records with 97,000 records obtained by hackers from NRAD Medical Associates in June.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.