[BreachExchange] Authorities continue investigating computer breach at ARH

[Audrey McNeil]

http://www.register-herald.com/news/authorities-continue-
investigating-computer-breach-at-arh/article_776e6359-f977-
5d26-9e3c-76517cf7fc3b.html

West Virginia requires hospitals to notify patients when private
information is comprised, but three days after discovering its computers
were hacked, Appalachian Regional Healthcare has yet to said what data was
breached and if confidential patient records were stolen.

"It is the responsibility of the comprised hospital to take action and make
the required notifications," said Alison C. Adler, director of
communications for the Department of Health and Human Resources, which
oversees the Office of Health Facility Licensure and Certification.

Adler said patients have a right to privacy and hospitals must have a
policy regarding the security of their medical records.

On Saturday, ARH, which runs Beckley Appalachian Regional Hospital and
Summers County Appalachian Regional Hospital, said its computers were
compromised by a virus that struck its electronic web-based services and
electronic communications. All computers were shut down to prevent further
spreading of the virus. Currently, patient care, registration, medication,
imaging and laboratory services are being managed manually.

Two emails sent to Melissa Cornett, ARH's spokesperson, went unanswered
Monday. Instead the company released a statement noting that Appalachian
Regional Healthcare is working closely with federal authorities who are
investigating the computer system breach at the Beckley and Summers County
locations.

The release said ARH is working to determine which systems are affected and
fully restore all electronic communications and access to web-based
services. No estimated restoration time was provided.

All facilities and services remain open as normal, including emergency
departments. ARH is monitoring patient care processes during this time to
determine when areas might require extra staff and resources.

ARH will also regularly assess any critical patients to determine if their
condition warrants transfer to another medical facility.

When visiting affected facilities, the release said all patient care,
registration, medication, imaging, and laboratory services are being
handled manually, which could result in the process taking slightly longer
than when relying on computers for such processes.

To help expedite this process, ARH asks that any patient bring prescribed
medications and any medical history information with them when visiting
physician practices or the emergency department.

“Appalachian Regional Healthcare (ARH) regrets any inconvenience caused to
our patients and staff by the issues we have experienced since Saturday
morning as the result of a computer virus," said Dr. Maria Braman, ARH Vice
President of Medical Affairs.

"We appreciate the patience our patients, staff and physicians have shown
during this time."

But patience by patients is running out. Over the weekend, several patients
expressed concern over the hospitals' silence on what personal data was
breached. Patients want to know if their bank accounts, Social Security
numbers, date of birth and medical history were comprised, but have yet to
receive any contact from ARH.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160831/bce38a3f/attachment.html>