A malware infection has potentially allowed hackers to gain access to the medical records of as many as 135,000 patients at St. Peter’s Surgery & Endoscopy Center, located in New York
So far in 2018, this is the second largest healthcare data breach reported and the most serious seen in New York state since the 3,466,120-record data breach at Newkirk Products, Inc. in August 2016.
The St. Peter’s Surgery & Endoscopy Center data breach was initially spotted on January 8, 2018: The same day as hackers managed to log onto its server. The speedy detection of the malware minimized the time the hackers could log onto the server and potentially stopped patients’ private health information from being viewed or copied. However, while nothing has been found to suggest that data access or data theft occurred, this could not be completely ruled out.
St. Peter’s Surgery & Endoscopy Center’s substitute branch notice states that the servers it uses are different to St. Peter’s Hospital and Albany Gastroenterology Consultants. Protected health information save by those two medical centers was not accessed in the malware attack. Only patients who have been treated at St. Peter’s Surgery & Endoscopy Center for medical treatment could have been affected. Letters to affected individuals were sent on February 28, 2018 and the incident has been filed to the HHS’ Office for Civil Rights (OCR).
The private health information potentially accessed/copied was limited to patients’ names, addresses, dates of birth, dates of service, diagnosis codes, procedure codes, and detailed in relation to insurance. Some people also had Medicare information viewed. Patients not in receipt of Medicare did not have their social security numbers viewed and no patients’ banking or credit/debit card numbers were visible.
Any individual whose Medicare details were exposed have been offered one year of credit monitoring and identity theft protection services with no charge “out of an abundance of caution” and all individuals have been urged to check their health insurance statements in detail for any sign of inappropriate use of their details.
No specific information has been made public regarding the exact nature of the security breach, such as how the hackers accessed the server to place the malware. St. Peter’s Surgery & Endoscopy Center revealed that measure are being taken to strengthen security protocols, which includes further staff training. The introduction of more specialized anti-virus and anti-malware solutions is also being reviewed.