[BreachExchange] Patients to clean up a breach after protective services not offered

Fri Apr 19 05:03:44 EDT 2019

https://www.healthdatamanagement.com/news/patients-to-clean-up-a-breach-after-protective-services-not-offered

A virus that prohibited access to files crippled IT systems at
Centrelake Medical Group this past February.

It appears the virus was not ransomware, but it did deny access to
data, according to executives of the healthcare organization, which
has eight locations in California.

The organization’s breach notification letter does not include an
offer of protective services to affected individuals, which are
sometimes offered in similar incidents.

“Centrelake enourages affected individuals to remain vigilant against
incidents of identity theft and fraud, and to seek to protect against
possible identity theft or financial loss by regularly reviewing their
financial account statements, credit reports and explanations of
benefits for suspicious activity,” patients were told.

The company restored its system and got help from a forensics firm in
determining the nature and scope of the attack.

“As part of our ongoing investigation, we determined this virus was
introduced by an unknown third party that had access to certain
servers on our information system, which contain personal and
protected health information relating to current and former Centrelake
patients,” according to the notification letter, which was sent to
patients and business partners.

“After a review of available forensic evidence, we determined that
suspicious activity began on our network on Jan. 9, 2019, lasting
until the virus infection on Feb. 19, 2019.”

Also See: Blues plan offers lengthy protection services after being hacked

While Centrelake asserts there is no evidence that the third-party
viewed or took patient information stored on systems, the organization
did confirm that impacted servers held files and software applications
that may have included names, addresses, phone numbers, services,
diagnoses, drivers’ license numbers, health insurance information,
referring provider information, medical record numbers, dates of
service and Social Security numbers.

In the notification letter, the organization did not publicly disclose
how many patients were affected, but that information is mandated to
be sent to the HHS Office for Civil Rights, which enforces HIPAA rules
and maintains a data breach website. Centrelake could run afoul of
OCR, which is encouraging organizations to offer protective services.