Sentara Healthcare is investigating a data breach suffered by one of its third-party vendors that resulted in patients’ protected health information being accessed by an unauthorized individual. Sentara Health was notified of a potential ePHI breach by law enforcement on November 17, 2016. An internal investigation was then immediately launched to determine the source of the breach, which led to one of its vendors.
The vendor of the 12-hospital healthcare system is not responsible for providing healthcare services to patients. The company was contracted to provide data and benchmarking services. However, no further information about the vendor or the source of the breach have been released. It is therefore unclear whether a hacker gained access to the vendor’s systems or if data were inappropriately accessed and stolen by an employee.
The investigation revealed that 5,454 thoracic and vascular patients who received medical services between 2012 and 2015 at Virginia hospitals run by Sentara Healthcare have been impacted and had their ePHI compromised. Data that have potentially been copied by the unauthorized individual includes patients’ names, demographic information, dates of birth, medical record numbers, Social Security numbers, clinical information, medical procedures, and medications.
Patients were notified of the breach by mail earlier this month and have been offered 12 months’ membership of a credit monitoring and identity theft resolution service free of charge. Those services have been offered as a precaution against identity theft. Should any patient believe their information has been used inappropriately, they will receive assistance in recovering their identities.
The Sentara Healthcare’s IT security team is still conducting its investigation into the breach and is working closely with law enforcement and its vendor. Sentara Healthcare has confirmed that its vendor is implementing additional controls to enhance data security to prevent future data breaches from occurring in the future.