May 25, 2018
Baltimore-based healthcare provider LifeBridge Health has disclosed, in a press release issued on May 16 that it had faced a data breach. Although the release made no mention to the number of patients affected at the time of it being issued, further information has now been issued.
LifeBridge Health found on March 18, 2018 that malware had been put on a computer network that hosted the electronic medical document system used by LifeBridge Potomac Experts and LifeBridge Health’s patient enrolment and billing systems.
The recognition of malware resulted in an in-depth inquiry to decide when access to the computer network was first obtained. LifeBridge Health then employed a national computer forensics company to assist with the inquiry with the company finding that access to the server was first set up 18 months earlier on September 27, 2016.
The kind of information held on the computer network included patients’ names, clinical and treatment details, medications prescribed, diagnoses, addresses, dates of birth, insurance information and a small number of Social Security numbers.
LifeBridge Health has found nothing to indicate any patients’ protected health information has been used wrongly, but as a preventive measure, all patients whose Social Security numbers might have been accessed by the attackers will be provided free credit checking and identity theft protection facilities for one year.
Moreover, all patients have been advised to carefully check their billing and explanation of benefits statements for any medical facilities charged but not sent. Patients have been requested to report any inconsistencies to their insurance carriers as soon as they can.
LifeBridge Health has not issued particulars of how access to the computer network was obtained, even though its reaction to the incident provides some hints. In the formal breach notice released, the healthcare supplier said it has “increased the difficulty of its password requirements and the safety of its system.”
The LifeBridge Health data breach is the second largest healthcare data breach to be informed in 2017. The breach statement delivered to the Division of Health and Human Services’ Office for Civil Rights (OCR) indicates 538,127 patients have possibly been impacted.
Though this data breach is not as large as the safety breach informed by the California Department of Developmental Services (CDDS) in April, it is definitely more hazardous for the people impacted.
The CDDS breach, which probably impacted 582,174 patients, was a robbery and it’s not clear whether any PHI was really seen or acquired by illegal people. All electronic equipment stolen by the thieves was safeguarded with encryption and no paperwork seemed to have been stolen.