On January 1, 2022, a Florida based healthcare system notified patients and staff that their personal information was subject to a data breach that began on October 15, 2021. There are reports that the data breach affected more than 1.3 million patients and staff.
The statement issued by the healthcare system indicated that an intruder gained unauthorized access to their network through the office of a third party medical provider who did have authorization to access the network to provide healthcare services. The data breach that began on October 15, 2021, and was discovered four days later, was immediately contained. The healthcare system promptly notified the FBI and Department of Justice (DOJ), required a password reset for all employees, and hired an independent cybersecurity firm to conduct an investigation. The DOJ requested that the healthcare system delay notifying patients and employees of the breach to ensure that the investigation was not compromised.
The healthcare system also began to use the services of a data review specialist to conduct an extensive analysis to identify what data had been compromised and determined that that some patient and employee personal information could have been impacted. The unauthorized data accessed included name, date of birth, address, financial or bank account information, Social Security numbers, insurance information, health history, driver’s license number, and email address.
The statement issued from the healthcare system recommended that impacted patients and employees take steps to prevent medical identity theft, which could include individuals fraudulently billing for medical services that were not provided using the identity of the affected patients or employees.
The healthcare system recommended that the affected patients and employees monitor their financial accounts and contact their financial institution if unauthorized activity occurs. They also recommended that the affected individuals obtain a free copy of their credit report.
Issue:
Nursing facility leaders and the Data Security Officer must collaborate with their IT department to ensure that the sensitive data that is housed within the facility’s computer systems is protected. All staff and other authorized users who have access to the computer network should be trained on best practices in preventing data breaches. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 6 Data Integrity.
Discussion Points:
- Review facility policies and procedures on cybersecurity. Ensure that these are kept current based on best practices for preventing data breaches and other violations of the HIPAA Privacy Rule.
- Train all appropriate staff, contractors, vendors, and/or business associates with access to confidential data on best practices to prevent breaches and reduce risks and vulnerabilities in order to maintain compliance with HIPAA requirements. Ensure that staff and others with access authorization understand their roles in maintaining the confidentiality and integrity of all protected health information that the facility creates, receives, maintains, or transmits. Document that the trainings occurred and file in each employee’s education file. Provide additional training as new information becomes available.
- Periodically audit to ensure that staff are knowledgeable and utilizing best practices in preventing data security breaches. Conduct a data security risk assessment at least annually that is technology specific and seeks to identify security vulnerabilities so that corrective and preventive actions can be taken.