Malware Incident in MI Creates Potential PHI Data Breach
May 24, 2016
Shah Sheikh (1294 articles)

Malware Incident in MI Creates Potential PHI Data Breach

Michigan-based Complete Chiropractic and Bodywork Therapies has notified patients of a possible PHI data breach after a server was accessed by an unauthorized entity.

A recent PHI data breach was caused by a malware virus

According to the OCR’s data breach portal, approximately 4,082 individuals were affected by the healthcare data security event.

Complete Chiropractic and Bodywork Therapies reported that an outside party had gained access to a server containing PHI starting on November 19, 2015. The practice did not discover the intrusion until after the server malfunctioned on March 19, 2016.

The security event likely occurred after malware infected the practice’s systems, stated the notice on it’s website. With the help of IT forensic experts, the practice determined that the malware probably scanned its systems to acquire login and password information.

The server held patient data, including treatment, billing and EHR information.

Although patients may have had their names, dates of birth, addresses, Social Security numbers, health information, and diagnosis information exposed by the incident, the chiropractic practice confirmed that all EHR data was encrypted.

“However, there is no indication that this information was actually taken or inappropriately used – only that there was an opportunity for the same,” explained Complete Chiropractic and Bodywork Therapies.

Upon discovering the healthcare data security event, the practice was able to secure the server by disabling its connection to the internet. Complete Chiropractic and Bodywork Therapies also changed the passwords for all workstation and vendor profiles and implemented additional security safeguards, such as adding an extra external firewall to track incoming and outgoing traffic.

Additionally, the chiropractic office notified all affected individuals and offered them a free year of identity theft protection, even though it has found no evidence that PHI has been taken or misused.

“CCBT [Complete Chiropractic and Bodyworks Therapies] deeply regrets that this incident occurred,” explained the statement. “We are taking this matter very seriously and are working hard to make sure this does not happen again. CCBT hired new IT professionals who come highly recommended based on their HIPAA compliance experience. With the guidance of our new IT professionals, we are adding to the IT safeguards that CCBT already maintained.”

NM county reports healthcare data breach after hacking incident

A hacking incident has resulted in a potential healthcare data breach for alcohol and substance abuse patients in San Juan County, New Mexico.

In an official statement on its website, San Juan County announced that an outside entity had gained access to a county-owned computer, which contained PHI. The hacker was able to access the computer for approximately half an hour.

The unauthorized user may have viewed health information of participants in two treatment programs that collected PHI, explained the statement. San Juan County reported that both programs are designed to help individuals in the criminal justice system, who have been arrested for either drunk driving or substance abuse violations. The treatment programs support offenders as they recover from drug and alcohol addictions.

PHI that may have been accessed by the hacker, included names, addresses, health assessments, treatment information, and medication information.

After an internal investigation, San Juan County confirmed that no other information was disclosed in the possible healthcare data breach.

It also conducted a forensic computer investigation and determined that the hacker did not remove any data from the computer. The county stated that it was unlikely that the intruder was able to access the health information.

San Juan County has worked to improve its healthcare data security measures and patient privacy policies since the security event.

“We take your privacy and protection very seriously and we deeply regret that this incident occurred,” reported the notice. “We are now in the process of reviewing our internal policies and data-management protocols and will be implementing enhanced security measures to help prevent this type of incident from recurring in the future.”

The county has advised that patients call their offices and a county employee will determine if an individual’s health information may have been exposed in the hacking incident. For all affected individuals who call, San Juan County has agreed to provide free identity protection and repair services.

Although San Juan County did not find evidence that the hacker accessed health information, it has recommended that patients monitor financial accounts for suspicious and unauthorized activity.

Source | HealthITSecurity