Free Hospital EMR and EHR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to Hospital EMR and EHR for FREE!

Phishing Attack On Hospital Could Impact 1.4 Million Patients

Posted on August 3, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A hospital in West Des Moines, Iowa has entered its third month of public disclosure after experiencing a data breach which could impact 1.4 million patients.

On May 31st, UnityPoint Health discovered that a phishing attack on its business email system had created a breach. Its investigation found that the company got a series of fraudulent emails pretending to have come from an executive within UnityPoint. After contacting law enforcement and beginning to research the situation, UnityPoint disclosed the existence of the breach to the public.

The patient information exposed includes names, addresses, dates of birth, medical record numbers and insurance information. Cyber attackers may also have gotten access to patient Social Security numbers and/or drivers’ license numbers. In a limited number of cases, attackers might even have been able to access patients’ payment card or bank account numbers.

Since then, UnityPoint has continued to keep its patients aware of any news on the situation, a painful yet necessary process which can help it rebuild its credibility. After all, it’s likely that the news of UnityPoint’s breach will get consumers very upset.

In fact, a new survey by SCOUT in partnership with The Harris Poll found that 49% of America adults are extremely or very concerned about the security of their personal health information. Given the fact that they’ve been hit with news of such breaches very regularly in recent years, it’s little wonder.

It’s worth noting that many consumers aren’t using online healthcare tools very often. For example, while 39% of those aged 18 to 34 used online portals to access their health information, all told only 36% of Americans overall use this technology.

As their health information knowledge increases, though, most patients become more concerned with what providers do to protect the privacy and security of their healthcare data. They learn how valuable this data is to potential buyers, and how there’s a ready market for their data in clandestine, impossible-to-track sites on the Dark Web.

Also, as the tenor of news coverage shifts from technical terms like “data breach” to tales of what happened to specific consumers, it’s likely that consumers will develop a more realistic view of what’s at stake here. If they’re freaked out at that point, they’ve probably figured out how a breach could impact their lives.

Pager Breach Exposes Patient Data From Six Hospitals

Posted on July 6, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

The IT worker was shocked. All he had done was buy an antenna and try to get TV channels on his laptop computer, but to his amazement, he inadvertently intercepted a flood of unencrypted pager messages chock full of private patient data.

The pager messages flooded in from six Kansas City area hospitals, including the University of Kansas Hospital, Cass County Regional, Liberty Hospital, Children’s Mercy Hospital, St. Mary’s Medical Center and Wesley Medical Center.  All told, the man had gotten access to information on hundreds of patients, in a fusillade of potential HIPAA violations.

According to an article in the Kansas City Star, patients who learned about the breach were horrified. “Who knows what else is going on, if it’s that easy for that information to get out there?” one woman told the newspaper. “There’s a big security breach there that needs to be stopped.”

When the paper spoke to the hospitals involved, some punted and didn’t respond to questions. Others shrugged off the problem or suggested that the breach was not a big deal.

For example, the University of Kansas told the reporter that the pager vulnerability was due to “a specific vulnerability in our paging system that may allow access to certain personal health information in limited circumstances.” It seems that an apology was not forthcoming.

Another hospital, Children’s Mercy, told the Star that the IT worker was to blame for the problem, contending that the pager data was only accessible to “local hackers with specific scanning and decoding equipment —- and technical knowledge of how to use it for this specific purpose.” In other words, the breach wasn’t really its fault.

As the article points out, the IT worker could be accused of violating the Electronic Communications Protection Act, which restricts the interception of electronic communications. For that reason, the paper never identifies him. But the article strongly suggests that he was surprised to see the messages and operated in good faith.

The worker, for his part, sensibly argues that the hospitals should have realized that the messages were in the clear. “It’s security by obscurity at this point —- and that’s scary,” he told the paper. “In my line of work you see a lot of ‘Let’s hope nobody finds it,’ [or] ‘It’s hard to find, so it’s pretty secure.’ That’s not enough. We can’t just trust people won’t stumble upon it. We have to assume that they do.”