Dive Brief:
- Bon Secours Health System notified more than 650,000 patients that their personal information may have been breached.
- The vulnerability occurred when a business associate of the Marriottsville, MD-based health system left patient information exposed online for four days while it adjusted its network settings.
- R-C Healthcare Management, which specializes in reimbursement, has since secured the information to prevent future internet access.
Dive Insight:
The information — exposed between April 18 and 21 of this year — included names, social security numbers, insurance and banking information, and some clinical data. In all, 655,000 patients were affected — 435,000 in Virginia and the rest in Kentucky and South Carolina.
Bon Secours identified the breach on June 14 and informed R-C Healthcare, which took steps to close the vulnerability and hired a third party to assess its efforts. Bon Secours conducted a two-month internal investigation of the incident, culminating with Friday’s mailing of letters to the affected patients.
The breach comes as hospitals are reeling from a string of cybersecurity failures this year. Earlier this month, Banner Health reported that hackers may have accessed payment data for 3.7 million individuals through point-of-sale systems at food vendors serving its facilities. The health system is facing a class-action lawsuit over its failure to provide sufficient data security policies to employees.
Aaron Miri, CIO and vice president of government relations at Imprivata, says a single medical record can sell for up to $300 on the dark net. Cybersecurity experts advise hospitals to build firewalls around the perimeter of systems, use two-factor authentication to secure them, and segment subnetworks from the rest of the internal network.