Free Hospital EMR and EHR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to Hospital EMR and EHR for FREE!

Phishing Attack On Hospital Could Impact 1.4 Million Patients

Posted on August 3, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A hospital in West Des Moines, Iowa has entered its third month of public disclosure after experiencing a data breach which could impact 1.4 million patients.

On May 31st, UnityPoint Health discovered that a phishing attack on its business email system had created a breach. Its investigation found that the company got a series of fraudulent emails pretending to have come from an executive within UnityPoint. After contacting law enforcement and beginning to research the situation, UnityPoint disclosed the existence of the breach to the public.

The patient information exposed includes names, addresses, dates of birth, medical record numbers and insurance information. Cyber attackers may also have gotten access to patient Social Security numbers and/or drivers’ license numbers. In a limited number of cases, attackers might even have been able to access patients’ payment card or bank account numbers.

Since then, UnityPoint has continued to keep its patients aware of any news on the situation, a painful yet necessary process which can help it rebuild its credibility. After all, it’s likely that the news of UnityPoint’s breach will get consumers very upset.

In fact, a new survey by SCOUT in partnership with The Harris Poll found that 49% of America adults are extremely or very concerned about the security of their personal health information. Given the fact that they’ve been hit with news of such breaches very regularly in recent years, it’s little wonder.

It’s worth noting that many consumers aren’t using online healthcare tools very often. For example, while 39% of those aged 18 to 34 used online portals to access their health information, all told only 36% of Americans overall use this technology.

As their health information knowledge increases, though, most patients become more concerned with what providers do to protect the privacy and security of their healthcare data. They learn how valuable this data is to potential buyers, and how there’s a ready market for their data in clandestine, impossible-to-track sites on the Dark Web.

Also, as the tenor of news coverage shifts from technical terms like “data breach” to tales of what happened to specific consumers, it’s likely that consumers will develop a more realistic view of what’s at stake here. If they’re freaked out at that point, they’ve probably figured out how a breach could impact their lives.

Pennsylvania Hospital Sees Data Breach

Posted on June 16, 2014 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

No matter how careful you are with patient data, there’s always a way for it to slip out the door or be accessed illegitimately. That’s why a Pennsylvania-based hospital has been forced this to notify almost 2,000 patients that an employee had committed a HIPAA breach.

The 551-bed Penn State Milton S. Hershey hospital learned, after conducting an internal investigation, that an employee accessed and transmitted protected health data outside of the hospital’s secure information network. The hospital was forced to inform 1,801 patients that their names, medical record numbers, lab tests and results and visit dates could conceivably have been accessed by unauthorized persons or entities due to an employee mistake.

The HIPAA breach was due to a mistake by a Penn State Hershey clinical laboratory technician, who was authorized to work with PHI but did so insecurely. The lab tech accessed patient data via an insecure USB devices through his home network rather than the hospital network, as well as sending patient data via his personal email address to two hospital physicians.

To date, Penn State Hershey has had a respectable track record for security. As HealthcareITNews notes, this is the first large HIPAA breach the facility has reported to HHS.

But there’s clearly an education gap here if an otherwise well-behaved lab tech didn’t know that he be compromising data if he accessed and sent it this way.

To prevent breaches like this from becoming common, hospitals need to keep up an ongoing education program which continually re-emphasizes the dangers of outside-network communication, unencrypted communications, data storage on easily stolen laptops and phones and more. But few hospitals offer the level of education required to fend off everyday accidents like this one.

But education isn’t the only security challenge facing hospital IT departments. There’s also an issue that remains in hospital security which, as we discuss HIPAA breaches, is worth a quick note. While it’s critical to educate staffers  on what they can do to avoid HIPAA breaches, health IT departments themselves may need a refresher from time to time,  notes my colleague John Lynn.

John notes that while hospital IT staffers may have strong antivirus software protecting their facility, their malware protections are often weak, as software that locks staff computers down too much often makes users angry.

As he sees it, the next wave of security breaches may not be due to human error (or malicious content) but unseen malware quietly feeding data to health data thieves. Not only that, he expects to see personal mobile phones get compromised and infect the hospital network. All scary stuff.