0.5 MM Patient Records Compromised for Two Years before Discovery

Baltimore’s LifeBridge Health reports 0.5 million patient records compromised after two years

LifeBridge Health located in Baltimore, Maryland, was the victim of a malware attack on September 27, 2016.  However, what is most concerning is, the attack was not identified until March 17, 2018.

In March of 2018 hospital officials reported a malicious attack that had infected multiple systems across the system.  A ton of PII (Personally identifiable information) and PHI (Protected Health information) have been stolen.  It includes ambulatory electronic health records, patient registration, and billing systems that a contracted vendor was hosting.  After a complete forensic analysis was completed, it was determined the malicious attack originated in 2016, when unauthorized actors accessed the system.

Approximately half a million patient records were compromised.  The information leaked included social security numbers, patient names, addresses, birth dates, medical diagnosis, medications, insurance information, and clinical and treatment information.  The Baltimore medical facility is working diligently to notify all impacted patients and is offering a free year of credit reporting services to patients whose social security number was compromised.

Letters sent to impacted patients encourage them to review billing statements and explanation of benefits.  If services are shown that were not rendered, the patients are urged to contact their providers immediately.

Press Release:

LifeBridge Health and LifeBridge Potomac Professionals announced today that it is sending letters to patients about a recent security incident involving patient information.

On March 18, 2018, LifeBridge Health discovered that malware infected the server that host LifeBridge Potomac Professional’s electronic medical record, and LifeBridge Health’s patient registration and billing systems. LifeBridge immediately began an investigation, engaged a national forensic firm, and determined that the unauthorized person accessed the server on September 27, 2016.  The information potentially accessed may include patients’ names, addresses, dates of birth, diagnoses, medications, clinical and treatment information, insurance information, and in some instances social security numbers.

At this time, LifeBridge Health and LifeBridge Potomac Professionals has no reason to believe that the patient information has been misused in any way.  However, as a precaution, LifeBridge Health is sending letters to patients, and has established a dedicated call center to answer any questions patients may have.  For those patients whose Social Security numbers were potentially involved, LifeBridge is offering a one-year complimentary credit monitoring and identity protection services. LifeBridge Health also recommends that patients review their billing statements and explanation of benefits they receive.  If patients see services that they did not receive, they should contact the provider or insurer immediately.

To help prevent something like this from happening again, LifeBridge has enhanced the complexity of its password requirements and the security of its system.

For additional information about this incident, please visit the LifeBridge website at www.lifebridgehealth.org.

 

Source: LifeBridge Health and LifeBridge Potomac Professionals

Leave a Reply