Provider group Texas Health Resources based in Arlington is notifying approximately 4,000 patients that an unauthorized person accessed some of their sensitive information. The security breach happened on October 2017, but Texas Health Resources only knew about it on January 17, 2018 when law enforcement notified them. The attacker accessed the email accounts that contained the compromised data for up to three months.
The HIPAA Rules require the issuance of breach notification within 60 days of the discovery of the breach. The delay in issuing notifications to patients by Texas Health Resources was requested by law enforcement. This is allowed by HIPAA Rules if there is a reason for law enforcement to believe that it would benefit ongoing investigation. Law enforcement recently gave the go signal to start sending notifications. But there’s no information if the investigation led to the apprehension of a suspect.
In the substitute breach published by Texas Health Resources, it was explained that the breach was part of a bigger attack on several entities across the U.S. There’s no mention about other healthcare organizations that the attacker targeted or the scope of the attack.
Texas Health Resources performed its own internal investigation to find out what information was exposed. The compromised email accounts contained the following information: names, birth dates, Social Security numbers, drivers’ license numbers, medical record numbers, state ID numbers, clinical information and insurance information. Majority of the patients went to Texas Health Resources for medical services in 2017.
Although there’s no report received yet that suggest misuse of the compromised information, Texas Health Resources offered the patients who had their Social Security numbers exposed free identity theft and credit monitoring services for 12 months. The health center also improved its security controls to keep the confidentiality and integrity of protected health information. Security monitoring was also enhanced to enable quick detection of potential breaches in the future.