Earlier this month, LifeBridge Health, a Baltimore-based healthcare provider, made a statement announcing that it had discovered a data breach in their organisation. An initial press release about the breach was issued on May 16, although this offered no information on the number of patients which had been affected. Since then, they have released updates on the extent of the breach.
On March 18, 2018, employees at LifeBridge Health discovered malware had been installed on one of their servers. This particular server hosted the electronic medical record system used by LifeBridge Potomac Professionals and LifeBridge Health’s patient registration and billing systems.
After the malware had been discovered, an investigation was launched to determine when the attackers first gained access to the servers to determine the extent of the damage. LifeBridge Health contracted a national computer forensics firm to assist with the investigation. The contractors eventually established that access to the server was first gained 18 months previously on September 27, 2016. Further investigations were launched to determine whether any of the patient information had been misused in this period.
The information stored on the server included patients’ names, dates of birth, addresses, diagnoses, medications prescribed, clinical and treatment information, insurance details, and a limited number of Social Security numbers.
Following further investigations, LifeBridge Health has uncovered no evidence to suggest any patients’ protected health information has been misused. However, as a precaution, all patients whose Social Security numbers were potentially accessed by the attackers will be offered credit monitoring and identity theft protection services for 12 months without charge.
As information about insurance coverage had been stolen, all patients have been advised to carefully check their billing and explanation of benefits statements for evidence of identity theft. Patients have been advised to report any discrepancies to their insurance carriers as soon as possible.
In their statements, LifeBridge Health have not disclosed how access to the server was gained. However, their statement indicated that their security system may have had failings in it which allowed the breach to occur. In its breach notice, the healthcare provider said it has “enhanced the complexity of its password requirements and the security of its system.”
The LifeBridge Health data breach is the second largest healthcare data breach to be reported this year. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights shows 538,127 patients have potentially been impacted.
The only other breach reported to OCR larger than this was submitted by the California Department of Developmental Services (CDDS) in April.
The CDDS breach, which potentially impacted 582,174 patients, was a burglary and it is questionable whether any PHI was actually viewed or acquired by unauthorized individuals. All electronic equipment taken by the thieves was protected with encryption, thus protecting the integrity of the ePHI. No paperwork appeared to have been removed during the burglary.
While there have been no reports of misuse of data as a result of the LifeBridge Health data breach, the attackers had access to the server for 18 months before the breach was detected. It is reasonable to assume that during that time the server would have been explored and PHI discovered and compromised.