Virginia based Inova Health System has started to contact 12,331 patients to advise them that some of their protected health information has been obtained by an unauthorized person.
Law enforcement contacted Inova Health System on September 5, 2018 in relation to a suspected breach of patients’ billing information. A leading computer forensics agency was hired to carry out an investigation into the breach to determine the extent of the attack and the range of the breach.
The investigation showed that its billing system was first accessed by an unauthorized person in January 2017, and again between July and October 2017. Access was obtained using the login details of an Inova staff member.
Oddly, Inova also reported that the same person also obtained access to paper billing records of a small number of patients in December 2016, which suggests that this may have been an insider breach involving a former staff member, business associate or another individual with permission to access to Inova facilities. However, no information about the person responsible for the breach has been released by Inova.
The range of information that were logged onto included patient names, addresses, birth dates, medical record details and Social Security numbers. Treatment information of a restricted number of patients was also possibly accessed.
The data breach has lead to Inova strengthening its security processes. Extra monitoring tools have been put in place to identify unauthorized access, password policies have been refreshed in relation to password complexity and new restrictions on the broadcast of information have been deployed. Staff members have been retrained on securing sensitive data before leaving their workstations unattended and on password security. An audit of security policies and procedures has also been carried out.
Inova started sending breach notification letters to impacted patients on November 2 and is helping law enforcement with its investigation.
All patients impacted by the breach have been offered one free year of credit monitoring and identity theft protection services bu Inova.