A Louisiana health system is sending out notices of a data breach affecting almost 270,000 people after hackers gained access to their system. The health system is comprised of a 314-bed hospital, a 54-bed women’s hospital, a 42-bed behavioral health hospital, and a primary care clinic for uninsured citizens. On October 21, 2022, the health system’s information security team detected unusual activity involving their computer network. In the notice which the health system posted to their website, they said they took immediate action to contain the activity and investigate its cause. On October 25, 2022, they learned that an unauthorized third party gained access to their network.
The health system reported the breach to law enforcement and launched an investigation with independent experts. The investigation determined that the unauthorized access to their computer network occurred between October 20 and October 21, 2022, during which time the unauthorized third party accessed or obtained certain files from their systems.
The health system reviewed the files and determined that some patient information was contained within them, which may have included patient names, addresses, dates of birth, medical record or patient identification numbers, health insurance information, payment information and/or limited clinical information regarding care received at one of their facilities. They found that in some instances, patients’ Social Security numbers were also included.
Beginning December 23, 2022, the health system began mailing letters to patients whose information may have been involved in this incident. They are offering individuals whose Social Security number may have been included both complimentary credit monitoring and identity theft protection services. Patients are encouraged to review statements from their health insurer and healthcare providers, and to contact them immediately if they see any billed services they did not receive.
The health system released a statement that they deeply regret any concern this incident may cause their patients. They report taking this matter very seriously and are continuing to take steps to enhance the security of their systems and the information they maintain to help prevent something like this from happening again.
Compliance Perspective
Issue
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and their business associates conduct a risk assessment of their healthcare organization. The healthcare sector is one of the largest victims of ransomware due to its vulnerability to breach of confidentiality and the critical nature of online patient records. The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. It is imperative that all nursing facilities become proactive in preventing ransomware attacks to avoid data breaches which are reportable in terms of HIPAA requirements.
Discussion Points
- Review policies and procedures related to HIPAA, PHI, the Privacy Rule, and data integrity. Ensure that they address how to avoid falling prey to security breach efforts by unauthorized individuals, and how to guard against and detect malicious software. Update as new information becomes available.
- Train appropriate staff on HIPAA, PHI, and the Privacy Rule, including how to avoid phishing schemes, malware exposures, unauthorized release of PHI, and how to detect malicious software and report such detections. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred, and file the signed training document in each employee’s education file.
- Periodically audit to ensure that staff are adhering to data integrity security measures, and to ensure that the facility’s policies and procedures for HIPAA, PHI, and privacy are being followed.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*