Inova Health System Leads to Billing Records of 12,331 Patients Being Compromised

by Ryan Coyne | Nov 15, 2018

Virginia based Inova Health System has started to contact 12,331 patients to advise them that some of their protected health information has been obtained by an unauthorized person.

Law enforcement contacted Inova Health System on September 5, 2018 in relation to a suspected breach of patients’ billing information. A leading computer forensics agency was hired to carry out an investigation into the breach to determine the extent of the attack and the range of the breach.

The investigation showed that its billing system was first accessed by an unauthorized person in January 2017, and again between July and October 2017. Access was obtained using the login details of an Inova staff member.

Oddly, Inova also reported that the same person also obtained access to paper billing records of a small number of patients in December 2016, which suggests that this may have been an insider breach involving a former staff member, business associate or another individual with permission to access to Inova facilities. However, no information about the person responsible for the breach has been released by Inova.

The range of information that were logged onto included patient names, addresses, birth dates, medical record details and Social Security numbers. Treatment information of a restricted number of patients was also possibly accessed.

The data breach has lead to Inova strengthening its security processes. Extra monitoring tools have been put in place to identify unauthorized access, password policies have been refreshed in relation to password complexity and new restrictions on the broadcast of information have been deployed. Staff members have been retrained on securing sensitive data before leaving their workstations unattended and on password security. An audit of security policies and procedures has also been carried out.

Inova started sending breach notification letters to impacted patients on November 2 and is helping law enforcement with its investigation.

All patients impacted by the breach have been offered one free year of credit monitoring and identity theft protection services bu Inova.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter