In mid-summer, The Chattanooga Heart Institute, a Tennessee-based cardiac care practice, reported that hackers may have stolen protected health information (PHI) from over 170,000 individuals in an April cyber attack. However, after more investigation, the cardiac practice found that the number of breach victims was more than double the initial estimate, at 411,000.
The clinic reported the cyber attack to the Maine Attorney General and the U.S. Department of Health and Human Services in late July. After more investigation, the practice filed an updated report was filed on October 6. The initial report described a cyber incident that began in March; suspicious activity was first seen in April, and the complete breach was discovered on May 31.
Damage Caused by the Hack
The Chattanooga Heart Institute includes three vascular surgeons and 27 cardiologists at four locations in Tennessee and one in Georgia. In its breach notice, the practice said its investigation into the incident had determined that an “unauthorized third party” gained access to its network between March 8 and March 16 and obtained data from its systems containing confidential patient information.
The PHI compromised includes name, mailing address, email address, phone number, birthdate, driver’s license number, Social Security number, account information, health insurance information, diagnosis and condition information, lab results, medications and other clinical, demographic or financial information.
So far, the breach has led to five class action lawsuits. The lawsuits allege willful and reckless negligence in failing to secure patient data. They also seek damages and a court order for The Chattanooga Heart Institute to improve its data security practices.
Why the List of Victims Grew
Although the cardiac practice has not disclosed details, there are good reasons why the number of victims more than doubled between July and October.
Protected health information received by The Chattanooga Heart Institute resides in a vast information network including Chattanooga’s business associates and the “organized health care arrangement” in which Chattanooga participates. Chattanooga is a member of Catholic Health Initiatives (CHI) along with other healthcare providers that share patient information to help them manage joint operational activities.
As a result, the ongoing investigation may be gradually discovering disclosures of PHI from multiple locations compromised by the cyberattack. Malicious software used by hackers is designed to migrate stealthily through information systems.
Business Associates and Partners
Business associates, third-party vendors, and affiliates all present security risks and exposure under HIPAA.
Avoid surprises – do a thorough HIPAA risk analysis to uncover where all the PHI in your care is located; conduct due diligence to ensure your partners are following HIPAA and exercising care to protect PHI.