HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Texas Healthcare System Suffers 405K-Patient HIPAA Security Breach

A Texas healthcare system has been targeted by an international team of hackers who were able to access a server containing the Protected Healthcare Information of over 405,000 patients. This is the third largest security breach reported to the Office of Civil Rights of the Department of Health and Human Services.

The hackers gained access to a computer server used by the St. Joseph Health System in Bryan, Texas for a period of three days in December 2013. The health center announced the breach on February 4th, although the data was accessed over a 48 hour period between December 16 and 18, 2013.

During this time hackers were able to access data containing Social Security numbers, patient contact details and medical information. Patients’ full medical histories were not stored on the server, only information such as registration data and details and test results.

The data contained patient information from hospitals operated by the St. Joseph Health System: The St. Joseph Center in Madison; St. Joseph Health Center in Grimes and Bryan as well as the St. Joseph Rehabilitation Center, also located in Bryan. In addition to patient data the server contained information on approximately 2,000 current and former hospital employees whose bank account information was also stored on the server.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

An initial investigation identified the hackers as being based in China, although IP addresses from other countries appear to suggest a coordinated cyberattack by multiple individuals. Following the discovery of the HIPAA security breach the server was isolated, taken offline and the data secured. Health system officials have also instigated a full investigation of the breach and have sought assistance from the FBI and computer forensic experts to determine how access was gained. While unauthorized access has been confirmed, there is no evidence that any of the data was copied from the server.

Patients affected by the breach are being offered a year of credit monitoring services and procedures have been put in place to further protect patient data, including “8-10 new measures” to improve security and safeguard patient data, although details of these measures has not been made public.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.