In November 2015 Owensboro Health Muhlenberg Community Hospital in Greenville, KY, reported a data breach affecting patients, staff, contractors, and anyone who may have used the hospital’s network between 2012 and July 2015. It turns out that a keylogger was intercepting Kentucky hospital’s data for three years. On September 16th, the FBI notified the hospital of suspicious activity involving third-party traffic on its network. Owensboro Health Muhlenberg Community Hospital began an internal investigation and contracted a forensic IT firm. The hospital learned that spyware indeed had access to data, compromising information and breaching HIPAA compliance.
The investigation showed that network devices were indeed infected with a malicious keystroke logger that captured data as it was typed while using infected computers and transmitted that data to a third party.
The affected computers were used to enter, and additionally access various patient, employee, contractor, and provider data, such as:
- patient financial data and health information
- information about persons responsible for a patient’s bill
- first and last name
- telephone numbers
- date of birth
- social security number
- driver’s license or state ID number,
- medical and health plan information (such as patient’s health insurance number, medical record number, diagnoses and treatment information, and payment information)
- financial account number
- payment card information (such as primary account number and expiration date)
- employment-related information
- other credentials, such as Drug Enforcement Administration number, National Provider Identifier, and State License number.
In addition, hospital visitors, employees, contractors and visiting doctors who logged into healthcare systems using the affected computers for access to external web services could have had their login credentials, such as email address, username, and password recorded and misused.
Additional damage: exposure to fraud
This relatively large-scale keylogging malware infection could place many patients and hospital employees at risk of suffering identity theft or fraud. The possibilities for fraud may include using stolen data to commit medical, insurance, credit, or tax returns fraud.
The fallout from this cyberattack could therefore be considerable, and may cost the hospital astronomical amount of money.
You may say – this is a large, complicated case. What about small medical practice or a doctor’s office that does not operate on the scale of a large hospital? As with any legal case, not knowing the law does not indemnify you from a responsibility. here is an example of the penalty if an individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA:
- Minimum Penalty: $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation)
- Maximum Penalty: $50,000 per violation, with an annual maximum of $1.5 million
When a HIPAA violation occurred not by a willful neglect and it is corrected within 30 days of notice, the OCR cannot impose the civil penalty. so if the medical practice needs to rectify HIPAA violation after the fact, it must be done as soon as possible, if not immediately.
With proper security measures placed by hospital IT this breach could have been avoided or detected early, minimizing the risks. Given the necessity to avoid the breach of the need to respond to an already occurred breach promptly, covered entities and business associates regulated by HIPAA should put together a team of professionals in place beforehand. Such team should include qualified professional IT consultants specializing in HIPAA compliance, legal counsel, HR and PR professionals.
We provide IT services for medical professionals to ensure HIPAA compliance
Considering how much weight your computer network carries when it comes to modern medical practice office, you must turn to trusted IT advisors when it comes to make your practice HIPAA/HITECH compliant.
- Physical and virtual safeguards for ePHI.
- Technical Safeguards
- Tracking/Audit Logs
- Strict Technical Policies
- Security of Network and Transmission
No Medical Practice is too small
- Small Medical Practice (1 – 4 Physicians)
- Medium Sized Medical Practice (5 – 10 Physicians)
- Larger Medical Practice (11 – 25+ Physicians)