Analecta Cyber Company Blog: Vendor hack leads to health data breach

2016-05-03

Vendor hack leads to health data breach

Data breaches targeting sensitive patient information have occurred in the past. It is, in some way, a usual event that the medical industry should always take into consideration.

On the other hand, a rare case of cyberattack happened, possibly affecting more than 19,000 patients' information. This unusual cyberattack targeted a third-party service provider in order to access patients' healthcare data.

The attack hit Bitzmatrics, a third-party vendor that operates the EHR and healthcare practice management tool in two major facilities potentially affected by the breach. These are the Pain Treatment Centers of America (PTCOA), as well as the International Surgery Institute (ISI). Both PTCOA and ISI reported a possible breach in their patient health information (PHI) after discovering the attack on their service provider.

Bizmatics operates a tool used to manage patient files. This means that targeting them is more likely to access a larger volume of information. In this case, all of the medical records of the 2 facilities’ patients were possibly compromised.

Reports released by HealthITSecurity show hackers infiltrated Bizmatics’ data servers in late 2015. They notified PTCOA a few weeks later. The third party vendor has been collaborating with the authorities in their investigations. Also, it’s been reported that the event had been contained and that all of their systems are now protected. Investigations are still ongoing to verify the cause and the extent of sensitive information that have been possibly compromised. According to HIPAA Journal, these may include the following data: patients' medical records, health insurance information, personal information including names, addresses, driver’s license and ID numbers.

In other cases, these may also include Social Security numbers of patients. Considering that sensitive information, including Social Security numbers of patients, may be compromised, these could be used by hackers for fraud especially identity theft.

Though Bizmatics pointed out that patient' files of PTCOA and ISI were probably not the target of the hacker, still, there is no guarantee that they would not go after them, as these may convert to a vast amount of money in the black market.

The service vendor notified potentially affected patients. They also set up a call center for queries in relation to the breach. As a regular protocol, a free year of credit monitoring and identity protection services will be provided to affected patients, just to extend the protection to their sensitive data.