A small-town rural Colorado hospital has identified a virus present on its computers that collected and encrypted patient data in a hidden file system. As a result, some 5,400 patients are being mailed breach notification letters today.
Back in January, the 80-bed Valley View Hospital in Glenwood Springs, Colo., discovered several of its computers had a virus which had copied screen shots of the computers and stored these images in an encrypted, hidden folder on the Valley View Hospital system, which could have been accessed by an outside entity, officials say.
Kevin Johnson, chief executive officer and principal security consultant at Secure Ideas, said the chances the data was accessed by an outside entity are "very high" indeed. "It would be unusual for malware to store the data and not either send it out or have it retrieved," Johnson told Healthcare IT News.
The information collected by the virus included patient names, addresses, dates of birth, telephone numbers, Social Security numbers, credit card data, patient visit numbers, and admission and discharge dates.
In terms of how long the virus was on the computers before discovery, the question still remains. Johnson said it's probable the hospital didn't know how long. "It is very typical for hospital systems to lack the level of monitoring or controls to determine this."
According to company notice, officials discovered the virus Jan. 23, and subsequent steps to quarantine all data and remove the virus from the system were taken.
The hospital has already launched a new information security program to upgrade and expand IT security and procedures, officials said.
[See also: Hackers swipe health data of 405K.]
"We apologize for any inconvenience or concern that this may cause our patients, employees and their families," said Gary Brewer, chief executive officer of the Valley View Hospital Association, in a statement. "We take our responsibility to protect patient information very seriously. We have responded to this situation as quickly and comprehensively as possible, and we continue to monitor progress as we take steps to inform and support those potentially affected by this incident."
Since 2009, some 30 million individuals have had their protected health information breached by HIPAA-covered entities. Hacking events currently account for some 7 percent of HIPAA privacy and security breaches, but many officials anticipate that number will continue to increase.
Back in December, in one of the biggest HIPAA security breaches report, hackers accessed a server from a Texas healthcare system, compromising the protect health information of some 405,000 people.
The five-hospital St. Joseph Health System in Bryan, Texas, reported it had experienced a three-day long data security attack back in December, when certain parties gained unauthorized access to a server containing patient and employee Social Security numbers, dates of birth, addresses and medical information.
According to health system officials, the unauthorized parties operated from IP addresses in China and several other locations.
The Office for Civil rights, the HHS
division responsible for enforcing HIPAA privacy and security rules has collected some $18.6 million from HIPAA-covered entities who failed to protect patient health information.
To date, OCR has received more than 90,000 complaints. Only some 5,447 of these cases went unresolved. However, some 53,000 of these cases may have been closed either because the OCR lacked jurisdiction or the complaint was untimely or withdrawn, not because a HIPAA violation did not occur.