Inova Health System in Virginia began notifying its 12,331 patients regarding the unauthorized access of some of their protected health information (PHI).
On September 5, 2018, law enforcement got in touch with Inova Health System because of an alleged breach of patients’ billing details. A prominent computer forensics firm investigated the breach to find out the magnitude of the attack and the range of information affected by the breach.
According to the results of the investigation, the unauthorized person first accessed Inova Health System’s billing system in January 2017 and repeatedly from July to October 2017. The hacker obtained the login details of an employee and used it to access the system.
Strangely, Inova reported that this same hacker also accessed the paper billing records of some patients in December 2016. This seems to imply that this might possibly be an insider breach, which involved a former employee, business associate or a person who could access the Inova facilities. Nonetheless, Inova did not release any data pertaining to the individual liable for the breach.
The range of data that had been compromised included patient names, birth dates, addresses, health record data and Social Security numbers. The hacker also possibly accessed the treatment data of a limited number of patients.
Because of the data breach, Inova strengthened its security procedures. To identify the access of unauthorized persons, additional monitoring tools were set up. The policies for setting passwords were updated with respect to password complexity. New prohibitions on broadcasting information were deployed. Employees had to undergo training again on password security and sensitive data security prior to leaving their workstations unmonitored. Security policies and procedures were also audited.
Inova is notifying the affected patients about the breach since November 2 and is working with law enforcement regarding the investigation. Inova also offered all patients affected by the breach one year complimentary credit monitoring and identity theft protection services.