A rural Utah healthcare provider detected unusual activity on their network on November 7, 2022, and discovered that hackers might have accessed or stolen data of 103,974 patients.
When the incident was first detected, the provider said they immediately took steps to secure their digital environment, and they engaged a cybersecurity firm to assist with their investigation. The investigation revealed that on or around November 7, 2022, personal and protected health information (PHI) belonging to patients that received care from the provider between March 2012 and November 2022 might have been accessed or acquired without authorization.
Affected information may have included names, addresses, dates of birth, Social Security numbers, health insurance information, and certain clinical details including diagnosis/conditions, medications, test results, and procedure information. The provider then began the process of locating mailing information to notify the identified patients, which was completed on April 10, 2023. The breach was reported on May 10, 2023, per HIPAA requirements.
The provider said there was no current evidence to suggest misuse or attempted misuse of personal information involved in the incident. They provided the affected individuals with information about steps that they can take to help protect their personal information, and offered complimentary credit monitoring and identity protection services.
To help reduce the risk of a similar future incident, the provider has implemented additional technical security measures, including performance of a global password reset throughout the environment and deployment of an endpoint detection and response tool with 24/7 monitoring.
Compliance Perspective
Issue
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and their business associates conduct a risk assessment of their healthcare organization. The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. Hackers seek to compromise digital devices, including computers, smartphones, tablets, and even entire networks. Nursing facility leaders and the Privacy Officer must collaborate with their IT department to ensure that the sensitive data that is housed within their computer systems is protected. All staff who have access to the computer network should be trained on best practices in preventing data breaches and what they must do to assist in the prevention of these breaches. All staff must fully understand how they can help safeguard protected PHI.
Discussion Points
- Review policies and procedures related to HIPAA, PHI, and the Privacy Rule. Ensure that they address how to secure PHI and how to avoid falling prey to security breach efforts by unauthorized individuals. Update these documents as new information becomes available.
- Train all staff on HIPAA, PHI, and the Privacy Rule, including how to avoid phishing schemes, malware exposures, and unauthorized release of PHI. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred and file the signed training document in the employees’ education files.
- Periodically audit to ensure that the facility’s policies and procedures for HIPAA, PHI, and Privacy are being followed by all staff, and that each person demonstrates understanding and competency.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
