Cyber Security Summary – June 2017

Cyber Security Summary – June 2017

While June was less eventful than May, it was still a big month regarding healthcare cyber security.  June is right in line with the 2017 monthly median for healthcare data breaches, but it is almost three times over the monthly median for records compromised. In June 2017 there were 26 healthcare data breaches and approximately 661,055 individuals affected by these breaches.

Since the beginning of the year
From the beginning of January through the end of June, there has been a total of 12,389,462 records compromised and 791 data breaches. Of those data breaches the healthcare industry, with 178 breaches and over 3 million records compromised, accounted for 22.5% of data breaches and 24.3% of records compromised.

Notable Incidents

Non-secure disposal of information
A Texas-based hospital notified patients about a possible security breach this month. This notification to patients was a result of a box of medical forms with PHI being found near an unsecured dumpster.  This incident, that may have affected 1,842 patients, gave unauthorized access to patient information including names, birth dates, case numbers and phone numbers.  It is unsure if additional information including mailing addresses, SSNs, health information and financial numbers were included in these forms. While there is no evidence to show these forms are being used maliciously, the organization offered concerned patients one year of free credit monitoring and are reviewing their current processes of PHI disposal to make any necessary changes.

Compromised while making education material
A Children’s Hospital in Missouri discovered a security threat through an unauthorized website that contained PHI collected by a hospital physician. The physician was using the information to create an educational resource. While the records were password protected the hospital considered the security measures in place insufficient. If an unauthorized individual or group accessed the site they would have  potentially been able to access sensitive information including names, medical records numbers, gender, dates of birth, encounter number, age, height, weight, body mass index, admission dates, discharge dates, procedure dates, diagnostic and procedure codes, and brief notes. The hospital took down the website immediately after it was discovered.

Health records found on side of the road
A healthcare organization in Tennessee misplaced documents that contained patient names, dates of birth, admitting diagnoses, account numbers and physician names. Luckily these records were found on a rural road in the area.  Further investigation revealed that documents did not include SSNs or medical records.