Valley View Hospital in Glenwood Springs was the target of computer hackers and has suffered a major breach of patient information security. Hospital officials say the personal data of more than five-thousand patients was compromised. Stacey Gavrell is head of community relations for the hospital
“The patient information does obviously make it very serious for us and we are going to respond seriously and we are responding seriously.”
The hacker or hackers introduced a virus into the hospital’s computer system, which took screen shots of patient records and then stored the pictures in a folder on the hospitals online file system. Gavrell says it is unclear if the hackers later accessed the information but that it was possible. APR's Roger Adams reports.
The virus collected patient data between September of last year until it was discovered in late January of this year. While no healthcare information was compromised the hacked data includes names, dates of birth, social security numbers and banking information. Also hacked were admission and discharge dates.
“We took immediate steps to stop and remove the virus from our system and then have been working diligently to upgrade our information technology security and systems to prevent a future incident. And, then we’re also cooperating with the Department of Health and Human Services disclosing this to them and following the proper procedures for reporting this incident.”
The data could be used to steal patient’s identities. Valley View Hospital is taking steps to help patients prevent identity theft from the security breach. Tomorrow morning at seven a hotline will be activated to answer questions. There is also information on the hospital’s website and on Monday letters will be sent to each person whose data were breached.
“We’re offering identity theft insurance policies to those who have potentially been impacted via the kinds of information that was stored in the hidden and encrypted folder.”
The hotline phone number and detailed information for Valley View patients is now on our website aspenpublicradio.org.
While the data breach is of concern to individuals involved the hospital itself is now in a crisis mode because this represents a major breach of data protected under the Health Insurance Portability and Accountability Act known as HIPAA. The act has stringent rules governing the release of patient information – stringent enough that law enforcement agencies often have to get subpoenas for information about people involved in criminal investigations. Medical data are becoming a valuable commodity to criminals.
“Medical records essentially have become monetized to the criminal underworld.”
Abner Weintraub is the founder of the HIPAA Group, a Florida-based company that trains health care providers how to protect patient data and keep in compliance with the law.
“So, a collection of a hundred medical records including socials, home address, diagnoses, physicians name, dates of service, things like that; a collection of a hundred or a thousand or ten thousand medical records represents cash.”
He says even in a case where the hospital was the victim of criminal hackers the breach can be deemed a HIPAA violation and the hospital can be subject to stiff penalties and fines.
“They certainly can be and whether they are or not is up to the sole discretion, in most cases, of the HIPAA enforcement authority which is the Office for Civil Rights, a sub-agency of the US Department of Health and Human Services. Generally they would investigate and at their sole discretion determine whether or not penalties may apply in this particular situation.”
There are several areas of concern for hospitals and other health care providers. Staff can disclose personal health information inadvertently and compromises can occur if files are left on desks unsecured. Arguably the greater concern is about electronic data storage. Everything must be secured from unauthorized access. Files are encrypted and transmission of data between hospitals or different care providers must be done over secure means.
“the attackers, the hackers, are up all night. Most IT security departments are not. They tend to have automated systems that are around the clock but the threat is very real and it’s an enormous threat. Attacks continue to be successful in the health care community or against health care targets.”
If HIPAA protected information is compromised as has happened at Valley View Hospital there are procedures mandated by the federal Department of Health And Human Services. Among them are that the security breach must be reported to the media. Again, hospital spokeswoman Stacey Gavrell.
“Our major focus right now is trying to take the steps to help people who have been potentially affected by this. You know, absolutely everyday and on a daily basis we are mindful of the responsibility to protect people’s patient information.”
A transcript of this story plus audio, additional links for information and the hotline telephone number are at aspenpublicradio.org. The telephone hotline at the hospital won’t be operational until tomorrow morning.
VVH Hotline number (activated 7:00 am Saturday 3-15-2014) - 888-236-0444