Texas Health Resources, a group providing services to over 1.7 million patients in North Texas, is alerting ‘fewer than 4,000 patients’ that a portion of of their sensitive information may have been obtained by an unauthorized person. The data breach may have happened as early as October 2017, although it was not identified until January 17, 2018, when the health system was made aware of a breach by law enforcement. The possibly compromised data was included in email accounts that the hacker had access to for around three months.
The lateness in sending breach notification letters, which should have to been sent within 60 days of the identification of the breach under HIPAA Rules, was at the request of law enforcement. HIPAA covered bodies are allowed to delay the issuing of notifications if law enforcement feels such an act would harm an investigation. Law enforcement has only recently given the OK to start broadcasting notifications. It is unclear whether the law enforcement inquiry lead to the suspect being caught.
Texas Health Resources outlined in its substitute breach notice that the incident was part of a bigger attack that harmed multiple bodies across the United States. It is currently unclear which other healthcare groups were also targeted by the hacker and therefore the true scale of the attack.
Texas Health Resources carried out its own internal review into the breach and determined that the compromised email accounts held information such as names, dates of birth, Social Security numbers, medical record numbers, drivers’ license numbers, state ID numbers, insurance information, and clinical data. Most of the affected people had received medical services at Texas Health Resources clinics in 2017.
People whose Social Security numbers were obtained have been given complimentary identity theft and credit monitoring services for one year for free. No reports have been received to suggest any of the information has been improperly used.
Texas Health is always working on improving its security measures to keep protected health information confidential and safe and will be strengthening security monitoring to ensure any future security incidents are detected quickly.