Breaches at Brooklyn Hospital Center and Washington University School of Medicine Compromised PHI

Brooklyn Hospital Center in New York announced a security breach that happened in late July 2019 involving malware installation on some hospital servers.

The quick discovery of the incident minimized the problems caused since safety steps were taken. Nevertheless, encryption of some files still happened.

With the help of a third-party digital forensics firm investigating the nature and scope of the attack, encrypted files were retrieved. After full efforts to get back the encrypted files, the experts reported on September 4 the inability to retrieve certain patient information.

The hospital center didn’t lose all medical files, just some dental and cardiac photos of patients. The hospital reviewed its records to determine the impacted patients and notified them. The attackers’ intention looks like it’s just to extort money from the hospital and not sensitive data access just like in other ransomware attacks. So far, there is no report of patient information misuse received. The forensic experts likewise had not tracked down any signs of patient data access or exfiltration.

Brooklyn Hospital Center already installed tight security controls to avert cyberattacks, however, those were not enough as the attackers bypassed them in this case. The center reviewed policies, procedures, and existing security routines and enhancements are underway to avert breaches in the future.

Unauthorized Access to PHI at Washington University School of Medicine

An unauthorized individual accessed a Washington University School of Medicine (WUSM) email account using an employee’s personal laptop and potentially compromised the protected health information (PHI) of a number of patients from the Department of Ophthalmology and Visual Sciences.

The unauthorized individual accessed the email account covering the period between April 29, 2019 and September 3, 2019. According to the investigators of the incident, the individual has a personal relationship with an employee of the WUSM. A third-party forensic company looked into the incident to find out what information in the compromised account the individual may have accessed. The messages and attachments in the email account comprised patients’ names, birth dates, medical record numbers, treatment and clinical information, diagnoses, names of providers, and prescription information. A number of patients’ health insurance information and Social Security numbers were similarly potentially compromised.

The investigators were unable to identify which email messages and attachments were opened, hence notification of all individuals whose PHI was probably compromised was undertaken. People who had their Social Security numbers potentially exposed received free credit monitoring and identity theft protection services.

WUSM knew about the breach on September 3, 2019 after a number of patients reported getting a letter relating to an Ophthalmology Department employee. The succeeding investigation confirmed the security breach, but it can’t be determined why the perpetrator contacted those people.

Because of the incident, WUSM enforced more security enhancements and re-trained its employees concerning password regulations.

The Department of Health and Human Services’ Office for Civil Rights’ breach website the incident as laptop theft where 3,237 patients were affected.

About Christine Garcia 1200 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA