St. Peter’s Surgery & Endoscopy Center in New York has been hit by a malware infection which could have allowed hackers to access medical records of up to 135,000 patients.
This is the second biggest healthcare data breach of 2018, so far, and the largest to be experienced in New York state since the 3,466,120-record data breach at Newkirk Products, Inc. in August 2016.
The data violation at St. Peter’s Surgery & Endoscopy Center was noticed on January 8, 2018: The same day as hackers obtained access to its server. The quick detection of the malware restricted the time the hackers had access to the server and possibly prevented patients’ data from being seen or copied. However, while no prrof of data access or data theft was found, it was not possible to eliminate either out with a high degree of certainty.
In the substitute branch notice issued, St. Peter’s Surgery & Endoscopy Center says the servers it utilizes are separate from St. Peter’s Hospital and Albany Gastroenterology Consultants. Protected health information stored by those medical centers was not compromised due to the malware infection. Only patients who have earlier visited St. Peter’s Surgery & Endoscopy Center for medical treatment have possibly been impacted. Letters to impacted patients were issued on February 28, 2018 and the incident has been made known to the HHS’ Office for Civil Rights (OCR).
The information possibly accessed/copied was restricted to patients’ names, addresses, dates of birth, dates of service, diagnosis codes, procedure codes, and insurance data. Some patients also had Medicare information accessed. Patients without Medicare did not have their social security details exposed and no patients’ banking or credit/debit card numbers were accessed.
Patients whose Medicare data as exposed have been offered 12 months of credit monitoring and identity theft protection services for free “out of an abundance of caution” and all patients have been told to check their health insurance statements carefully for any sign of fraudulent use of their data.
No details have been released on the exact nature of the security breach, such as how the hackers obtained access to the server to upload malware. St. Peter’s Surgery & Endoscopy Center said steps are being taken to enhance security, which incorporates further staff training. The purchase of more – and more sophisticated – anti-virus and anti-malware solutions is also being considered.