Keystroke logger detected on hospital's computers

May have been in place undetected for nearly four years
By Mike Miliard
11:30 AM
Share
Typing on laptop

A hospital in Kentucky is notifying patients of a security incident, after it was discovered that some of its computers had been infected with a keystroke logger designed to capture and transmit data as it was typed.

This past Friday, OH Muhlenberg, LLC announced that Greenville, Ky.-based Muhlenberg Community Hospital had detected the malware on some of its machines.

The keystroke logger may have been in place since January 2012.

Affected computers were used to enter patient financial data and health information, potentially including names, addresses, telephone numbers, birth dates, Social Security numbers, driver's license/state identification numbers, medical and health plan information, financial account numbers, payment card information and employment-related information. Additionally, some credentialing-related information for providers may also be impacted, officials said.

Noting that they have "no indication that the data has been used inappropriately," Muhlenberg officials did say that they believe the malware could have captured username and password information for accounts or websites that were accessed by employees, contractors or providers using the affected terminals.

[Learn more: Meet the speakers at the HIMSS and Healthcare IT News Privacy and Security Forum.]

In mid-September, the FBI notified Muhlenberg of "suspicious network activity involving third parties," officials said. Upon learning this, the hospital "took immediate action," launching its own internal investigation and hiring a digital forensics and security firm.

"The hospital understands the importance of protecting the privacy and security of its providers', patients' and employees' information," officials said, noting that the hospital worked quickly to contain the damage, "including immediately blocking the external unauthorized IP addresses, taking steps to disable the malware and continuing to enhance the security of its systems moving forward.

Muhlenberg "regrets any inconvenience or concern this incident may cause," officials said, adding that affected patients would receive one year of complimentary identity protection services.