HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

UMC Physicians Discovers Hacker Accessed PHI of Up to 18,000 Patients

A summary of hacking incidents and employee data breaches recently discovered by healthcare organizations.

Hacked Email Account Contained PHI of 18,000 UMC Physicians’ Patients

UMC Physicians in Texas is notifying approximately 18,000 patients that some of their protected health information has been exposed as a result of the hacking of a physicians’ email account. The breach occurred on March 15, 2018, although it was not discovered by the UMC Physicians’ IT team until May 18, giving the hacker two months to access the data stored in the account.

While the investigation did not uncover any evidence of actual or attempted misuse of PHI, it was not possible to determine with a high degree of certainty that PHI had not been compromised. Consequently, all patients whose PHI was potentially accessed have been offered complimentary credit monitoring and identity theft protection services for 12 months.

An analysis of the email account revealed the following information was potentially viewed/obtained by the hacker: Patients’ full names, addresses, phone numbers, medical record numbers, diagnoses, Social Security numbers, birthdates, dates of service and health insurance information.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Steps have now been taken to strengthen security to prevent similar breaches from occurring in the future.

Former VCU Health System Employee Accessed PHI of 4,686 Patients Without Authorization

VCU Health System in Virginia has discovered one of its employees accessed the protected health information of thousands of patients without authorization. The data breach was discovered on May 9, 2018, when an unusual pattern of electronic medical record activity was discovered.

A full review of the employee’s EHR access logs confirmed the unauthorized accessing of patients’ health information. The employee joined VCU Health System on January 3, 2003 and was terminated for inappropriate PHI access on May 10, 2018. During that period, the protected health information of 4,686 patients was accessed with no legitimate work reason for doing so.

The types of information the employee was able to view included patients’ names, addresses, birthdates, medical record numbers, healthcare providers, health insurance information, visit dates, and medical information. Some patients’ Social Security numbers may also have been viewed.

VCU Health System does not believe the records were accessed with any malicious intent, only out of curiosity. Patients whose Social Security numbers were potentially viewed have been offered 12 months of credit monitoring and identity theft protection services without charge.

HIPAA requires healthcare organizations to conduct periodic reviews of EHR access logs. It is therefore unclear why it took so long for the unauthorized access to be discovered.

MSK Group Informs Patients of PHI Breach

MSK Group, an integrated orthopedic practice in Tennessee that includes Tabor Orthopedics, OrthoMemphis, and Memphis Orthopaedic Group, has discovered a hacker gained access to its systems and intermittently accessed its network over a period of several months.

The breach was detected on May 7, 2018 when the IT team investigated a security event. Third-party information security consultants were hired to conduct a forensic investigation and assess and mitigate the breach. That investigation did not uncover evidence to suggest any information was stolen by the hacker, although the consultants were able to confirm that access was gained to certain parts of the network that contained the protected health information of patients.

The types of information that could potentially have been accessed included patients’ names, addresses, contact telephone numbers, fax numbers, email addresses, dates of birth, photographs, diagnostic images, driver’s license numbers, Social Security numbers, and medical record information.

Breach notification letters were sent on July 9, and all patients affected have been offered 12 months of complimentary credit monitoring and identity theft protection services. MSK Group has not disclosed how many patients have been affected.

MSK Group is continuing to work with the security consultants who are helping to strengthen security on its network.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.