Inova Health System, a non-profit health organisation based in Falls Church, Virginia, has announced that it has experienced a data breach. The protected health information (PHI) of over 12,000 of its patients may have been compromised.
Inova Health System first contacted local law enforcement on September 5, 2018, when an employee at the facility noticed suspicious activity on the system. It was thought that an unauthorised individual may have gained access to the system and be illegally accessing patient files. A third-party computer forensics firm was contracted to assist with the investigation into this suspicious activity, and the suspicion was confirmed. An investigation was launched jointly between Inova Health System and the computer forensics firm to determine the exact cause of the breach and how many patients were affected.
The investigators discovered that access was gained to Inova Health System’s patient billing system. The system was first accessed by the unauthorised individual in January 2017, and then again between July and October 2017. The system was accessed using the login credentials of an employee at the healthcare organisation.
These login credentials had previously been used to access the paper billing records of a small number of patients in December 2016. Therefore, signs pointed to this being an “insider” breach, committed by a member of staff, business associate, or former employee. Inova Health Systems have yet to make any public statements revealing the identity of the individual to whom the login credentials belonged.
The investigators have identified 12,3331 patients affected by the breach. In accordance with HIPAA’s Breach Notification Rule, Inova Health System started mailing breach notification letters to the patients affected by the breach on November 2. They have agreed to fully cooperate with law enforcement in its investigation.
All patients affected by the breach have been offered one year of credit monitoring and identity theft protection services without charge. Patients who are affected by breaches are particularly vulnerable to identity theft and fraud. Healthcare data has a high black market value, which acts as a potential incentive for those working within the industry to steal data to use for nefarious purposes. Although hacking/IT breaches garner a great deal of media attention, so-called “insider” breaches are also serious threats to the integrity of PHI.
Investigators have concluded that the types of information that may have been accessed during the breach included patient names, addresses, birth dates, medical record numbers, and Social Security numbers. The treatment information of a small number of the patients may have also been accessed.
In response to the breach and its aftermath, Inova Health System has dedicated itself to enhancing its security protocols. Additional monitoring tools have been deployed to identify unauthorized access, password policies have been updated with respect to password complexity, and new limitations on the transmission of information have been implemented. All employees at the facility have been put on training courses on securing sensitive information before leaving their workstations unattended and on password security. A review of security policies and procedures has also been conducted.