Bon Secours St. Francis Health System is getting in touch with patients in relation to a security breach that may have led to some of their protected health information (PHI) being viewed/accessed by unauthorized actors who obtained access to the systems of Milestone Family Medicine in Greenville, SC.
Milestone Family Medicine was connected with St. Francis Physicians Services (SFPS) until February 24, 2019, and had previously worked physicians at the practice. SFPS noticed became aware of a security breach at the clinic on January 4, 2019 and took steps to secure systems and stop further unauthorized access. An investigation was kicked off by a third-party computer forensics firm, SFPS were able to ascertain that one of the servers that was accessed included the PHI of certain patients at the medical clinic.
The attack seems to have targeted EHR systems that were accessible over the Internet. Internet connections providing access to Milestone Family Medicine systems that are not actively being used have been disabled.
The range of data that have been impacted include names, addresses, dates of birth, health insurance information, Social Security numbers, and information tinked to the medical services given to patients.
The breach was restricted to patients who had previously received medical services at Milestone Family Medicine. Breach notification letters are now being mailed to affected people and SFPS has offered free credit monitoring and identity theft protection services.
While data theft could have taken place, no reports have been submitted to suggest any patients’ PHI has been improperly used. Impacted patients have been advised to monitor their accounts and explanation of benefits statements for indicators of fraudulent activity.
SFPS has said technology management and information security risk oversight are being strengthened to stop any further breaches of PHI and that the decision to end the affiliation with Milestone Family Medicine was not linked to the breach.
The incident has yet to be published on the Department of Health and Human Services’ Office for Civil Rights (OCR) website, so it remains unknown exactly how many Milestone Family Medicine patients have been impacted by the breach.