Share this article on:
Arlington-based Texas Health Resources, a provider group serving more than 1.7 million patients in North Texas, is notifying ‘fewer than 4,000 patients’ that some of their sensitive information may have been accessed by an unauthorized individual. The data breach occurred as early as October 2017, although it was not discovered until January 17, 2018, when the health system was notified of a breach by law enforcement. The potentially compromised data was saved in email accounts that the attacker had access to for up to three months.
The delay in issuing breach notification letters, which would normally have to be issued within 60 days of the discovery of the breach under HIPAA Rules, was at the request of law enforcement. HIPAA covered entities are permitted to delay the issuing of notifications if law enforcement believes such an act would impede an investigation. Law enforcement has only recently given the OK to start sending notifications. It is unclear whether the law enforcement investigation resulted in the apprehension of a suspect.
Texas Health Resources explained in its substitute breach notice that the incident was part of a larger attack that affected multiple entities across the United States. It is currently unclear which other healthcare organizations were also targeted by the attacker and therefore the true scale of the campaign.
Texas Health Resources conducted its own internal investigation into the breach and determined that the compromised email accounts contained information such as names, dates of birth, Social Security numbers, medical record numbers, drivers’ license numbers, state ID numbers, insurance information, and clinical information. Most of the affected individuals had received medical services at Texas Health Resources facilities in 2017.
Individuals whose Social Security numbers were exposed have been offered complimentary identity theft and credit monitoring services for one year without charge. No reports have been received to suggest any of the information has been misused.
Texas Health continuously works on improving its safeguards to keep protected health information confidential and secure and will be enhancing security monitoring to ensure any future security incidents are detected rapidly in the future.