Over the last few months at least 2 hospital systems have reported that there have been incidents where patient data has been compromised. One of the incidents affects over 4 million patients treated within an entire hospital network. It leads some to question whether or not hospitals (or any other type of facility/agency) are adequately prepared to protect confidential patient information. With cyber attacks increasing in frequency, it seems that anyone who deals with patient data would be exploring additional mechanisms to protect themselves from being susceptible to cyber attacks. The second breach is a result of a thumb drive being stolen from administrative office with the hospital system. The last attack calls into question whether or not there are internal policies & protocols in place that would have prevented this incident. Both incidents will lead for various fines and penalties for both agencies. The total cost and impact of the breach of the patient information is something will never really know.
Almost 2 weeks ago Community Health Systems announced that hackers had compromised their entire computer system. Community Health Systems operates 206 facilities in 29 states. The hackers were able to gain access to patient data for an estimated 4.5 million patients who either received treatment at one of their facilities or anyone who was referred to their facilities by outside doctors. This attack impacts 4 hospitals here in North Carolina- Davis Regional Medical Center (Statesville), Lake Norman Regional Medical Center (Mooresville), Martin General Hospital (Williamston), and Sandhills Regional Center (Hamlet). In this situation the hackers were able to steal the names of patients, social security numbers, their physical addresses, birthdays, and also the phone numbers of the patients that were associated with the hospital system for the last 5 years.
While the breech within the Community Health Systems network was reported recently according to the investigation conducted by an outside cyber security team, the actual attack occurred during April & June of this year. It is also believed that the hackers are a group from China that is also suspected of engaging in corporate espionage in the past. Due to the nature of the attack the cyber security team is now working with the FBI to attempt to put an end to the activities of the hackers.
The second hospital system that reported a recent breech of confidential patient information, this time it was Duke University Health System. The health system announced that a thumb drive was stolen from one of their administrative offices. According the information released, the thumb drive was not encrypted (an internal security mechanism that typically requires a password to access data) and the thumb drive contained various types of patient data. The data was isolated to patients who were seen at Duke Children’s Health Center & Lenox Baker Children’s Hospital for the last 6 months (December 2013 thru January 2014. The data stored on the thumb drive included: patient names, names of their physicians, medical record numbers, and in some cases the name of other Duke University Health System facilities that they have received services. http://www.newsobserver.com/2014/08/29/4107042/stolen-thumbdrive-had-duke-medicine.html#storylink=cpy
In the case of Duke, the incident was noticed much quicker than the breach with Community Health Systems. The incident was recognized in 6 months of the theft. Compared to those who were involved in the Community Health System breach that occurred over years. Duke is working with law enforcement to determine how the theft occurred. According to Duke’s news release, to date none of the patient information had been used.
Regardless of whether the information is used or not, both situations are considered HIPPA violations and both agencies are highly likely to face fines and sanctions from federal agencies. They are also susceptible to face civil lawsuits from the patients whose information was compromised by the 2 separate incidents. According to various sources, fines for healthcare related breaches are some of the most expensive fines. On a positive note, one of the sanctions that could come out of the breaches is that both agencies are ordered to make “corrective actions.” Which might force both agencies to comply with orders to increase their current IT security infrastructure and precautions & protocols.http://www.beckershospitalreview.com/healthcare-information-technology/how-much-will-the-chs-breach-cost.html
Have a great day!