Two More Healthcare Organizations Inform Patients of Bizmatics Breach

Two more healthcare organizations have started notifying patients that their protected health information was exposed when a hacker infiltrated the PrognoCIS application of third party vendor, Bizmatics Inc.

Earlier this year, Bizmatics started notifying some of its clients that its systems had been infiltrated by a hacker, who may have accessed and copied clients’ data from its PrognoCIS electronic medical record (EMR) database.

An attacker had succeeded in installing malware on its systems in January 2015, although the malicious software was discovered almost a year later toward the end of 2015. Many of the healthcare organizations affected by the breach were notified in March 2016.

The latest two U.S. healthcare providers to announce that their patients had been affected by the Bizmatics breach are the California Health & Longevity Institute, based in Westlake Village near Los Angeles, and the Grand Junction, CO-based Vincent Vein Center.

California Health & Longevity Institute submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights on May 25, 2015 stating that the PHI of 4,386 patients had potentially been compromised. The breach report submitted to the media at the same time indicates patients’ names, addresses, contact phone numbers, dates of birth, medical histories, and health insurance information were potentially compromised.

The breach notice submitted to OCR by the Vincent Vein Center was received on June 7, 2016, more than two months after being notified of the potential breach by Bizmatics. The OCR report shows that 2,250 patients potentially had their PHI compromised. The breach notice posted on the Vincent Vein Center website indicates the same data elements were potentially viewed or copied by the attacker, although in some cases Social Security numbers were also exposed.

Bizmatics and the cybersecurity vendor employed to conduct the investigation – CrowdStrike – were unable to determine whether either healthcare provider’s patient data had actually been viewed or copied, although the possibility of a PHI breach could not be ruled out. No evidence was discovered to suggest this was the case and no reports of improper use of patient data had been received by Bizmatics up to March 30, 2016.

In response to the breach, Bizmatics has implemented a number of controls to ensure its servers and clients’ data are better protected in the future. Those additional protections include the hardening of its firewall and network configurations.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.