3rd Party Risk Management , Fraud Management & Cybercrime , Governance & Risk Management
Malware Breach Affects 1.2 Million Medical Center Patients
Baptist Medical Center Latest on Growing List of Entities Reporting Major HacksA malware incident involving the exfiltration of data and affecting more than 1.24 million patients from two Texas hospitals adds to a list of major breaches likely to continue growing.
See Also: How Overreliance on EDR is Failing Healthcare Providers
As of Monday, an incident at San Antonio-based Baptist Medical Center and Resolute Health Hospital of New Braunfels involving a network server ranks as the fourth-largest health data breach posted on the Department of Health and Human Services' HIPAA Breach Reporting Tool reporting website.
Experts predict even more hacking incidents and major health data breaches compromising patients' protected health information will occur in the coming weeks and months.
"We are failing in our duty to implement basic administrative policies and technical resources to monitor the activity of information systems that manage this data," says privacy attorney David Holtzman of consulting firm HITprivacy LLC.
"We need to take a hard look at steps to prevent the same failures to defend and respond to cybersecurity incidents over and over and over again."
Commonly called the "wall of shame," the HHS Office for Civil Rights website lists major health data breaches affecting 500 or more individuals.
Four of the 10 largest breaches so far this year - including the Baptist Medical Center incident - have occurred this month, the website shows.
Baptist Breach Details
In a statement, Baptist Medical Center and Resolute Health Hospital - both part of San Antonio-based Baptist Health System - say it was discovered on April 20 that certain systems within their network may have been infected with malicious code.
An ongoing forensics investigation determined that an unauthorized third party had accessed certain systems containing personal information, removing some data from the network between March 31 and April 24, the statement says.
Information potentially affected in the incident includes patient name, date of birth, address, Social Security number, health insurance information and medical information - such as medical record number, dates of service, provider and facility names, chief complaint or reason for visit, and other visit, procedure and diagnosis information, the statement says.
Other information also potentially affected includes billing and claims information.
Driver's license number, credit and debit card information, bank account information and account passwords were not involved in this incident, the statement says.
Baptist Medical Center says it is enhancing security and monitoring capabilities, and systems are being "hardened as appropriate" to minimize the risk of similar incidents in the future.
The hospital did not immediately respond to Information Security Media Group's request for additional details about the incident, including whether the malware involved was ransomware.
Taking Action
Some experts say that the Baptist Medical Center incident is the latest in a disturbing trend that continues to worsen, involving compromises of patient information.
Attorney Rachel Rose says the most recent spate of hacking incidents affecting millions of individuals offer up several important lessons.
The most prudent courses of actions illustrated by these incidents includes the importance of organizations making sure patches are up to date, reviewing disaster recovery and business continuity plans and revising them where needed, conducting refresher training highlighting other recent security events, and conducting annual security risk analysis, she says.
Rose adds: "The trend that we have seen lately is outside attacks from external hackers. While people are watching for that, internal threats should also be given equal attention."