- The Diamond Institute for Infertility and Menopause in New Jersey recently suffered a data breach threatening the security of patient EHRs.
While EHRs have made patient information more accessible than ever, the rapid digitization of the healthcare industry opens the door for potential unauthorized access or abuse.
On Feb. 27, 2017, the New Jersey healthcare organization discovered evidence that an unauthorized individual had gained access to a third-party server containing patient EHRs.
Upon learning of the potential security breach, the organization immediately launched an investigation into the incident to determine the extent of the damage.
“Diamond takes the security and privacy of the information in its control very seriously, and is taking steps to prevent a similar incident from occurring in the future,” stated Attorney General Joseph A. Foster in a letter notifying potentially impacted patients of the incident.
While patient records and the EHR system database were both encrypted, officials stated some support documents may have been accessed in the breach.
The Diamond Institute determined potentially viewed information included patient names, addresses, dates of birth, Social Security numbers, lab results, and sonograms.
Law enforcement stated there existed definitive proof two New Hampshire residents were impacted by the breach.
However, the repercussions of the breach could extend even further. According to the OCR data breach reporting tool, 14,633 patient EHRs were potentially exposed and left vulnerable during the incident.
In an effort to maintain transparency, the Diamond Institute issued advisory letters notifying potentially affected individuals of the incident on April 28, 2017.
The healthcare organization is also changing all server passwords, updating its firewall and virtual private network credentials, and closing all inactive ports to avoid future incidents.
EHR security is an increasingly pressing issue among healthcare organizations as facilities become more data-driven and technology-based. Hacking and cybersecurity attacks put patient information contained in EHRs at risk of exposure particularly by individuals interested in leveraging data for profit through ransomware attacks.
In fact, according to a recent report there were a record number of healthcare data breaches in 2016.
Patient medical records accessible through web portals are also at risk of exposure through not only cybersecurity attacks but website glitches.
Earlier this month, a Las Vegas IT consultant contacted IT security reporter Brian Krebs informing him of a website glitch affecting patient EHRs accessible through True Health Diagnostics.
The glitch exposed patient EHRs and blood tests of all True Health Diagnostics patients due to a single digit modification in a PDF link.
Krebs immediately informed the health organization of the online glitch and the EHR data portal was shut down.
“Upon discovering the potential for registered users of our patient portal to access data for individuals other than themselves, we immediately shut down the system in order to resolve any vulnerabilities,” the organization stated in an email to Krebs. “True Health has total confidence that all patient records are fully secure at this time. We regret this situation and any harm it may have caused.”
While the data portal glitch was quickly resolved and rebooted, True Health had no way of knowing whether any patient information contained within the EHRs was misused in any way.
The organization has initiated an ongoing investigation to determine if any EHRs were improperly accessed.
According to the IT consultant who initially discovered the glitch, it is likely at least two million patient EHRs were exposed in the incident.
The push for interoperability and health data exchange will persist. However, increased incidents of EHR data breaches threatening the security of patient information will not bode well among skeptics of the push for a higher-tech industry.