Seton Family Of Hospitals Announces 39K HIPAA Breach

A HIPAA breach has been suffered by the Seton Family of Hospitals in which the Protected Health Information (PHI) of close to 39,000 patients has been obtained by hackers. The attack occurred on February 26 of this year.

The data compromised in the healthcare hacking incident includes personal identifiers such as names, addresses and other demographic information in addition to medical record numbers, insurance provider information and Social Security numbers. Since demographic information has been obtained along with Social Security numbers and medical insurance details, the victims have been placed at an elevated risk of suffering medical and identity fraud.

While it has not been explicitly stated that Seton Family of Hospitals will be providing credit monitoring services to all affected individuals, a statement released by Jesús Garza, Seton Healthcare Family President and CEO, said that “It is our priority to support those who have been affected.”

Under the Health Insurance Portability and Accountability Act Breach Notification Rule, all covered entities are required to issue breach notification letters to all affected individuals and must provide them with information on the cause of the breach and the actions being taken to secure the data and prevent future cyber attacks. Covered entities must also take steps to mitigate any damage. In cases where victims of a breach are placed at an elevated risk of their PHI being used for fraudulent purposes, credit monitoring services should be offered free of charge for a period of at least one year.

Another Successful Healthcare Phishing Attack Suffered

Immediately following discovery of the breach, Seton family of Hospitals took action to shut down access and secure its servers. Access to PHI has now been stopped. The investigation that followed determined that the hacker(s) had used a phishing campaign to obtain login details of hospital staff, which enabled the hospital email system to be infiltrated. It took some time for investigators to determine which accounts had been affected and the extent of PHI that was potentially obtained by the criminals in the incident.

The healthcare provider is now in the process of “taking all necessary and appropriate steps to prevent a recurrence,” and will “continue to implement administrative, technical and physical safeguards against unauthorized access of protected information.”

This is not the first time the Seton healthcare system has suffered a HIPAA data breach. Back in October, 2013 the theft of an unencrypted laptop computer from the Seton McCarthy Clinic resulted in the PHI of approximately 5,000 individuals being exposed. On that occasion medical record numbers, patient account numbers, a limited number of Social Security numbers, insurance information, diagnoses and immunization information was exposed.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.