A Tennessee-based healthcare company is facing at least five lawsuits after a recent data breach might have exposed the personal information of 11 million patients. The class-action lawsuits that have been filed so far are by people in Tennessee, Florida, Texas, and California.
On July 10, 2023, the healthcare company announced that they’d recently discovered that some of their patients’ personal information had been posted on an online forum by an unknown and unauthorized individual. The posted information includes patient name, city, state, and zip code; patient email, telephone number, date of birth, and gender; and patient service date, location, and next appointment date. The company said the information does not include clinical information, payment information, or sensitive information such as passwords and social security numbers.
According to the company, the incident appears to be a theft from an external storage location exclusively used to automate the formatting of email messages. The company reported the incident to law enforcement and retained third-party forensic and threat intelligence advisors. The investigation is ongoing, and the company has not identified evidence of any malicious activity on its networks or systems in relation to the incident.
The company disabled user access to the storage location as an immediate containment measure and said it plans to contact any impacted patients to provide additional information and support, in accordance with its legal and regulatory obligations, and will offer credit monitoring and identity protection services, where appropriate.
Compliance Perspective
Issue
Cybersecurity incidents and data breaches continue to increase across all sectors. In the healthcare sector, hacking is now the greatest threat to the privacy and security of protected health information (PHI). Organizations must be proactive in their efforts to regularly monitor system activity for hacking incidents and have measures in place to sufficiently safeguard PHI. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and their business associates conduct a risk assessment of their healthcare organization. The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. Hackers seek to compromise digital devices, including computers, smartphones, tablets, and even entire networks. Nursing facility leaders and the Privacy Officer must collaborate with their IT department to ensure that the sensitive data that is housed within their computer systems is protected. All staff who have access to the computer network should be trained on best practices in preventing data breaches and what they must do to assist in the prevention of these breaches. All staff must fully understand how they can help safeguard protected PHI.
Discussion Points
- Review policies and procedures related to HIPAA, PHI, the Privacy Rule, and data integrity. Ensure that they address how to avoid falling prey to security breach efforts by unauthorized individuals, and how to guard against and detect malicious software. Update as new information becomes available.
- Train appropriate staff on HIPAA, PHI, and the Privacy Rule, including how to avoid phishing schemes, malware exposures, unauthorized release of PHI, and how to detect malicious software and report such detections. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred, and file the signed training document in each employee’s education file.
- Periodically audit to ensure that staff are adhering to data integrity security measures, and to ensure that the facility’s policies and procedures for HIPAA, PHI, and privacy are being followed.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*