HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Website Update Exposes PHI of 8,800 Silver Cross Hospital Patients

Silver Cross Hospital in New Lenox, IL, has learned that the protected health information of 8,862 patients has been exposed as a result of a software update performed by a business associate that manages certain parts of its website.

The software upgrade was performed on the website in November 2016, which resulted in security settings being inadvertently reconfigured. As a result, information entered by patients in webforms was made available over the Internet and could potentially have been accessed by unauthorized individuals. Silver Cross Hospital said change to the security settings was discovered internally on June 14, 2017. The vendor was immediately contacted and the site was rapidly secured.

A computer forensics firm was contracted to perform an analysis of the website to establish whether any of the exposed information had been accessed by unauthorized individuals during the seven months that data were accessible. The investigation did not uncover any evidence to suggest unauthorized individuals navigated to the forms and viewed patient health information, although the possibility could not be ruled out.

At no point did the security incident affect the hospital’s electronic health record system or any data stored by the hospital. The only information that could potentially be viewed was information entered via the forms and stored by its vendor.

Please see the HIPAA Journal Privacy Policy

The breach affects patients who used a range of forms on the website. Those forms collected a range of sensitive information including names, addresses, telephone numbers, email addresses, dates of birth, IP addresses and patients’ marital status. Some patients also had their Social Security number, insurance details and some health information exposed, but only if that information had been submitted via the webforms. While the software update occurred in late November, the breach impacts patients who used the webforms between January 2013 and June 14, 2017. In some cases, patients and payment guarantors may have had their information entered into the webforms by a third party and may therefore not be aware that they have been impacted by the incident.

Silver Cross Hospital has now notified all impacted individuals for whom valid contact addresses are held. All individuals affected by the breach have been offered complimentary credit monitoring services for 12 months.

Steps have also been taken to improve security and prevent similar incidents from occurring in the future. Those measures include reviewing and updating policies and procedures related to website security, the provision of additional training for staff members, and a detailed assessment of security practices by experts in the field.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.