Billing Files of 12,331 Patients of Inova Health System Have Been Compromised

November 11, 2018


Falls Church, VA-based Inova Health System has begun informing 12,331 patients that some of their protected health information (PHI) has been retrieved by an illegal person.

Inova Health System was communicated by law enforcement on September 5, 2018 over a supposed breach of patients’ billing information. A prominent computer forensics company was hired to carry out an inquiry into the breach to decide the type of the attack and the level of the breach.

The inquiry disclosed its billing system was first retrieved by an illegal person in January 2017, and once again between July and October 2017. Access was gained using the login identifications of an Inova worker.

Peculiarly, Inova also informed that the same person also gained access to paper billing files of a small number of patients in December 2016, which indicates that this might have been an insider breach involving an ex-employee, business partner or another person with access to Inova services. Nevertheless, no information concerning the person responsible for the breach has been made open by Inova.

The kinds of information that were retrieved included patient names, medical record numbers, birth dates, addresses, and Social Security numbers. Treatment information of a limited number of patients was also possibly retrieved.

The data breach has encouraged Inova to increase its safety procedures. Additional checking tools have been installed to identify illegal access, password rules have been updated with respect to password difficulty, and new restrictions on the spread of information have been applied. Workers have been retrained on safeguarding confidential information before leaving their workstations unattended and on password safety. A review of safety plans and procedures has also been carried out.

Inova began mailing breach notification letters to affected patients on November 2 and is helping law enforcement with its inquiry.

All patients affected by the breach have been offered one year of credit checking and identity theft protection facilities without a fee.