May 25, 2018
Baltimore-situated healthcare supplier LifeBridge Health has disclosed, in a press release issued on May 16 that it had faced a data breach. Although the release made no mention to the number of patients affected at the time of it being issued, more information has now been released.
LifeBridge Health found on March 18, 2018 that malware had been put on a server that hosted the electronic medical record system utilized by LifeBridge Potomac Professionals as well as LifeBridge Health’s patient registration and billing systems.
The recognition of malware resulted in an in-depth probe to decide when access to the server was first gotten. LifeBridge Health then employed a national computer forensics company to assist with the probe with the company finding that access to the server was first created 18 months earlier on September 27, 2016.
The variety of information held on the server contained patients’ names, clinical and treatment details, medications prescribed, diagnoses, addresses, dates of birth, insurance information and a small number of Social Security numbers.
LifeBridge Health has found nothing to indicate any patients’ PHI has been used wrongly, but as a preventive measure, all patients whose Social Security numbers might have been retrieved by the attackers will be given free credit checking and identity theft protection facilities for one year.
Moreover, all patients have been urged to cautiously verify their billing and explanation of benefits statements for any medical facilities charged but not sent. Patients have been requested to inform any differences to their insurance carriers as soon as they can.
LifeBridge Health has not issued particulars of how access to the server was gotten, even though its reply to the occurrence provides some hints. In the official breach notification issued, the healthcare supplier said it has “increased the difficulty of its password requirements and the safety of its system.”
The LifeBridge Health data breach is the second largest healthcare data breach to be informed in 2017. The breach report sent to the Division of Health and Human Services’ Office for Civil Rights (OCR) reveals 538,127 patients have possibly been impacted.
Although this data breach is not as large as the safety breach reported by the California Department of Developmental Services (CDDS) in April, it is definitely more hazardous for the people affected.
The CDDS breach, which probably affected 582,174 patients, was a robbery and it is not clear whether any PHI was actually seen or obtained by illegal people. All electronic equipment stolen by the thieves was safeguarded with encryption and no paperwork seemed to have been stolen.