EHR data breach exposes medical records of 19,000 patients
An Arkansas healthcare network recently released a HIPAA Security Notification that a 2015 data breach may have exposed the personal information of as many as 19,000 patients. According to the Pain Treatment Centers of America and Interventional Surgery Institute, hackers accessed the network's EHR system files through data servers owned and operated by third-party vendor Bizmatics.
The breached files included patient medical records, along with "health visit information, name, address, health insurance information, driver's license number or other ID and, in some cases, a Social Security number. No credit card or financial information is stored in [the] patient file," the security notification explained.
PTCOA CEO Bill McCrary said patient files weren't necessarily the target of the attack and, in fact, the healthcare network isn't even sure hackers accessed or stole the information they contain.
As is standard in consumer data breach situations, PTCOA is offering credit alert protection to patients for one year. The organization also established a direct extension to patients to quickly reach call center specialists for further assistance.
"In a likely related incident, Bizmatics was also involved in another potential healthcare data breach with a different client. Complete Family Foot Care in Nebraska reported that 5,883 patients were affected by a possible PHI data breach caused by unauthorized access to Bizmatics servers," reported Health IT Security.
Earlier this month, Mark Menke, security expert and CTO of Network DLP at Digital Guardian, predicted EHR vendors will become an increasingly attractive target for cybercriminals. "With web-based EHR systems, hackers can easily access data from hundreds or thousands of health networks in a singular attack," Menke explained. "It's also likely that web-based EHR systems, like other similar applications, suffer from many common vulnerabilities that might give attackers access to backend systems and data – from SQL injections to cross site scripting."