On January 15, Hendrick Health System began notifying 640,436 patients of a cybersecurity threat that compromised their data. More details on the incident are discussed below.
What Caused the Hendrick Health Breach?
On November 20 Hendrick Health System discovered that they had suffered a cyberattack that potentially compromised protected health information (PHI). Upon discovery, Hendrick Health system notified law enforcement of the incident, and launched an investigation.
The investigation into the Hendrick Health breach determined that an unauthorized entity gained access to their systems from October 10 to November 9. It was also discovered that the Hendrick Health breach did not affect all of their medical centers, just patients treated at Hendrick Medical Center and Hendrick Clinic in Abilene, Texas.
What Information Was Exposed in the Incident?
Although the Hendrick Health breach did not affect the organization’s electronic health records, threat actors gained access to patients’ names, Social Security numbers, demographic information, and limited information about healthcare provided by Hendrick. Patients affected by the breach have been sent a breach notification letter. Patients will receive one year of identity theft protection and complimentary credit monitoring. Hendrick Health has also set up a confidential call center for affected patients (855-526-1144).
To read the Hendrick Health breach notice, please click here.
Tampa Bay Breast Care Specialists Breach
On January 21, AdventHealth released a statement that Tampa Bay Breast Care Specialists (TBBCS), part of AdventHealth Medical Group, suffered a breach on December 22, 2020. The breach of TBBCS’ electronic medical record system affected the records from before TBBCS was part of AdventHealth, and was not currently in use by AdventHealth.
Although it is unclear as to how many patients were affected by the breach, PHI stored in the breached EMR, and potentially accessed by unauthorized users included patient names, dates of birth, dates of death (where applicable) sex, genders, marital statuses, email addresses, races, religions, Social Security Numbers, driver’s license information, addresses, billing information (including credit card information, where applicable), medications list, and clinical documentation/notes.
To prevent further PHI exposure, AdventHealth has since taken the compromised EMR offline, is reviewing their organization’s policies and procedures, and retraining staff members. AdventHealth has sent breach notification letters to affected patients, and set up a confidential call center (855-688-0534).
To read AdventHealth’s breach notice, please click here.