Owensboro Health Muhlenberg Community Hospital Breach

In this week in HIPAA Breach rubber-necking, we have the FBI discovering suspicious network activity from third parties at Owensboro Health Muhlenberg Community Hospital, a 135 bed acute care hospital in Kentucky. Here’s a description of the incident:

On September 16, 2015, the Federal Bureau of Investigation (FBI) notified the hospital of suspicious network activity involving third parties. Upon learning this information, the hospital took immediate action, including initiating an internal investigation and engaging a leading digital forensics and security firm to investigate this matter. Based upon this review, the hospital confirmed that a limited number of computers were infected with a keystroke logger designed to capture and transmit data as it was entered onto the affected computers. The infection may have started as early as January 2012.

I’m quite interested in how they came up with the January 2012 date. Was that the date that the infected computers were installed? Are they just being cautious and assuming that the computers could have had the keylogger since the beginning and they’re handling the breach that way?

Of course, Muhlenberg Community Hospital is sending breach notifications to all patients in their records database, employees and contractors and providers that were credentialed at the hospital since 2012. They don’t give a number of how many records or people this constitutes, but it have to be a massive number.

Here’s a look at what information they think could have been accessed by the keylogger:

The affected computers were used to enter patient financial data and health information, information about persons responsible for a patient’s bill and employee/contractor data, including potentially name, address, telephone number(s), birthdate, Social Security number, driver’s license/state identification number, medical and health plan information (such health insurance number, medical record number, diagnoses and treatment information, and payment information), financial account number, payment card information (such as primary account number and expiration date) and employment-related information. Additionally, some credentialing-related information for providers may be impacted. The hospital also believes that the malware could have captured username and password information for accounts or websites that were accessed by employees, contractors or providers using the affected terminals. The hospital has no indication that the data has been used inappropriately.

They’re offering the usual identity protection services to all those affected. However, I was quite interested in their expanded list of steps people can take to guard against possible identity theft and fraud:

  • Enroll in Identity Protection Services
  • Explanation of Benefits Review
  • Check Credit Reports
  • Review Payment Card Statements
  • Change Your Passwords
  • Consult the Identity Theft Protection Guide

It’s clear that the number of breaches is accelerating. However, this case is particularly interesting because it could have been breached for the past 3 years and they’re just now finding it out. I expect we’ll see a lot more of this activity in the future.

About the author

John Lynn

John Lynn

John Lynn is the Founder of HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.