Texas Health Resources is sending notifications to ‘fewer than 4,000 patients’ that some of their Private Health Information may have been seen by an unauthorized persons.
The Arlington-based health care provider, a supplier to over 1.7 million patients in North Texas, says that the data breach may have happened as early as October 2017, although they did not identify it until January 17, 2018, when law enforcement alerted the the health system to it. The breach compromised data that was included in email accounts that the hacker(s) may have been able to access to for as long as three months.
Law enforcement agencies requested that here should be a delay in issuing breach notification letters, which would normally have to be issued within 60 days of the discovery of the breach as per HIPAA Rules. HIPAA covered organizations are legally allowed to delay the issuing of official notifications if law enforcement requests it due to fears that an investigation might be impeded. It is only recently that law enforcement agencies have given permission for the organization to start issuing notifications. It is still not known if the law enforcement investigation lead to anyone being arrested in relation to the cyber attack.
Texas Health Resources described, in the substitute breach notice that was filed, that the incident formed part of a bigger attack that impacted a number of entities across the USA. It is still not known which other healthcare groups were also concentrated by the attacker and therefore the true extent of the hacking campaign.
After carrying out an internal investigation, Texas Health Resources found that the compromised email accounts contained information including names, dates of birth, Social Security numbers, medical record details, drivers’ license numbers, state ID numbers, insurance information and clinical data. Most of the those affected had been treated at Texas Health Resources facilities during 2017.
Persons whose Social Security details were exposed have been offered free identity theft and credit monitoring services for 12 months. No official reports have been submitted to indicate the information has been misused in any way.
Texas Health invests, on an ongoing basis, to improve its security measures to maintain protected health information in a confidential fashion to eliminate the possibility of any future security incidents being experienced.