Sacred Heart Health System Suffers Hacking HIPAA Breach

The Sacred Heart Health System, a regional health system serving north Florida and south Alabama, has reported that a hacker has infiltrated the e-mail account of a Business Associate and has potentially obtained the personally identifiable information and Protected Health Information of approximately 14,000 individuals.

The security incident was caused when an employee of the Business Associate had their account username and password compromised in an “e-mail hacking attack”; reportedly a phishing campaign.

In recent months hackers have successfully used phishing methods on a number of occasions to obtain user login details. Emails are sent to hospital employees that closely mimic those of individuals who would conceivably require login details to be provided. The users are fooled into revealing their login credentials and the hackers then use that information to access email accounts and PHI.

On discovery of the breach the billing vendor immediately shut down the affected e-mail account. The breach was discovered on December 3, 2014, although it was not reported to Sacred Heart until February 2, 2015 – two months after the breach had occurred.

Sacred Heart initiated an investigation and recruited an external computer forensics expert to determine the data that was exposed, which patients had been affected and how access to the email account was obtained. The investigation revealed that 14,177 records were contained in the email account, and the data exposed included names and dates of birth along with dates of service, billing account numbers, billing charges and the names of the physicians visited. Only 40 Social Security numbers were exposed in the incident.

Breach notification letters have now been sent to all affected individuals who have been advised that their information may have been compromised. They have also been advised of the actions they need to take to protect their identities and credit. Individuals affected by the data breach are being offered credit monitoring services free of charge for a period of one year.

According to a press release issued by Sacred Heart Privacy Officer, Genevieve Harper, the healthcare provider is taking steps to ensure that further breaches are prevented. “Specifically, we are working with our billing vendor to ensure they are continually evaluating and modifying their practices to enhance the security and privacy of all confidential and/or sensitive information in their possession,” she went on to say “We are taking the necessary and appropriate steps to prevent this type of incident from occurring in the future,” and confirmed that “the hackers did not gain access to individual medical records or billing records.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.