[BreachExchange] Navicent Health Reports Data Breach from July 2018 Cyberattack

Destry Winant destry at riskbasedsecurity.com
Wed Mar 27 09:13:04 EDT 2019


Navicent Health, the second-largest hospital in Georgia, is notifying
patients that their personal data was potentially breached after a
cyberattack on its employee email account system.

According to the notice, officials first discovered an unauthorized
third-party gained access to its employee and hosted email accounts in
July 2018. An investigation was launched into the security incident
with help from an outside forensics security firm to determine what
patient information was compromised in the attack. Law enforcement was
also notified.

The investigation concluded on January 24, which determined the
accounts contained patient names, dates of birth, addresses, and
limited medical data, like billing and appointment information. Some
patients’ Social Security numbers were compromised in the attack;
those patients will receive a year of free identity theft protection

Officials said they don’t know if any of the data was viewed or
acquired by the hacker. Further, they could not “isolate exactly what,
if any, information may have been obtained.” However, the cyberattack
was limited to employee email accounts and did not impact Navicent’s
network or EHR system.

Navicent is currently evaluating additional platforms, educating
employees, and reviewing its technical controls. Officials did not
explain if the review caused a delay in breach reporting, given the
attack happened nearly eight months ago.

Under HIPAA, covered entities and business associates are required to
report a breach within 60 days of first discovering the incident. The
Department of Health and Human Services have settled with several
health organizations in recent years for failing to timely report a

In 2017, Presence Health became the first provider to settle with the
Office for Civil Rights over a lack of timely breach notification. The
Illinois-based provider paid OCR $475,000, as a result of that
failure, despite the fact just 836 patients were impacted.

Despite the settlement and HIPAA rule, there have been several breach
notifications in recent months where timeliness has been a factor. The
largest, Wolverine Solutions Group, has been rolling out notifications
to its providers since a ransomware attack breached its network in
September 2018.

The third-party vendor explained that the investigation was ongoing
since the initial attack, which caused the “rolling breach
notifications” as officials attempted to determine just what clients
and information were involved. In total, Michigan’s Attorney General
estimated that about 600,000 patients were impacted by the attack.

More information about the BreachExchange mailing list