In August, the Catholic Charities of the Diocese of Albany (CCDA) performed a routine upgrade of its computer security software. While the technicians were working on the upgrade, they discovered that malware had been installed on one of the computer servers used by its Glens Falls office. This office serves patients in Saratoga, Warren and Washington Counties in New York.
The staff rapidly blocked access to the server and CCDA enlisted the services of a computer security firm. An investigation was launched into the root of this unauthorized access and breach in security. The investigation, which took several weeks to complete, revealed that access to the server potentially dated back to an initial breach in 2015. Despite the discovery of the malware and server breach, the investigation did not uncover evidence to suggest the protected health information of patients had been viewed or stolen.
An analysis of the server revealed the stored files contained the protected health information of 4,624 patients. The information potentially accessed by the attackers included names, addresses, birthdates, diagnosis codes, dates of service, and for some patients, their health insurance ID numbers which may have included Social Security numbers. Financial information and details of treatment and therapy were stored elsewhere on the network and were not accessible at any point.
In accordance with the HIPAA Breach Notification Rule, the incident has been reported to law enforcement, the Department of Health and Human Services’ Office for Civil Rights, the Division of Consumer Protection, and the state Attorney General. Affected patients have been notified of the breach. CCDC have offered credit to the affected patients for monitoring and identity theft protection services for one year without charge as compensation for the breach.
Even when appropriate security solutions are implemented to safeguard the protected health information of patients, breaches can still occur. Sister Charla Commins, CSJ, Executive Director of Catholic Charities of Saratoga, Warren and Washington Counties, explained, “We have modern digital security measures in place, but every day it seems criminals’ intent on invading computer systems find new ways to do so.” Sister Commins also explained, “We take very seriously our responsibility for protecting private information, and we sincerely apologize for any inconvenience this may cause our clients and staff.” In response to the malware attack, CCDA have since enhanced the security of its servers and is in the process of implementing further malware monitoring features.