Hackers have penetrated a decommissioned net server at healthcare Business Partner, Onsite Health Diagnostics (OHD), and got access to patient files for a period of 3 months before the incursion was identified.
OHD is a Dallas-based subcontractor for offering medical screening and testing services under a health plan managed by Healthways for the state of Tennessee. The business has tens of thousands of protected health files.
On January 4, 2014, hackers gained accessibility to an outdated network server having patient files which included names, phone numbers, addresses, email addresses as well as gender. No healthcare data or Social Security numbers were present on the server.
The infringement was noticed by OHD on April 11, 2014, and an inquiry was instantly started which confirmed that 60,582 files were possibly seen and copied by the hacker. The inquiry was carried out by an external information technology security and computer forensics business.
The company established that the data pertaining to persons who took part in health diagnoses in 2013 under Local Government Insurance Plan Tennessee’s State Insurance Plan, and a Local Education Insurance plan.
A breach notice was delivered to the media in which it was verified that about one in five state employees were affected by the violation. Notice letters will be dispatched to all affected informing them of the security occurrence in due course. Patients will be presented a year of credit checking services free of charge, even though at this phase it doesn’t seem that the data has been used for deceitful purposes.
Healthcare Business Under Attack
Business Partners are now protected under HIPAA and can be held responsible for data breaches showing Protected Health Information. The penalties for HIPAA breaches can increase to $1.5 million for each breach kind and the Department of Health and Human Services’ Office for Civil Rights checks breach statements and conducts inquiries in incidents where data breaches seem to have led to violations of HIPAA Laws. It isn’t evident at this point whether Onsite Health Diagnostics applied the correct precautions to safeguard the server as needed by the HIPAA Security Law.
Healthcare providers as well as their business partners should make sure that all servers – whether old or new– have suitable safeguards in place to protect PHI. The healthcare business is presently being targeted by hackers and just last month the Montana Department of Public Health and Human Services was hacked, revealing more than 1 million files having 97,000 records gotten by hackers from NRAD Medical Associates in June.