Beth Israel reports potential data breach (update2)
Hiawatha Bray reports:
Beth Israel Deaconess Medical Center is notifying more than 2,000 of its patients that some of their personal information may have been stolen from a hospital computer.
The hospital said today that an unnamed computer service vendor had failed to restore proper security settings on the computer after performing maintenance on it. The machine was later found to be infected with a computer virus, which transmitted data files to an unknown location.
The computer contained medical record numbers, names, genders, and birth dates of 2,021 patients, as well as the names and dates of radiology procedures they’d undergone. But the computer didn’t contain the patients’ financial data or their Social Security numbers, which can be used to steal identities and defraud banks.
“We are grateful no Social Security numbers or financial information were released, and apologize for the inconvenience and deeply regret any concern this situation may cause,” said John Halamka, the hospital’s chief information officer.
Halamka said the virus transmitted information in an encrypted form, so the hospital does not know exactly what might have leaked, but wanted to inform patients anyway. “We just wanted to be ultra-careful,” he said.
The hospital will provide affected patients with one year of free identity protection service. For more information, patients can contact the hospital at 877-615-3765.
Source: Boston Globe.
Okay, this strikes me as a pretty rare occurrence. Having data exfiltrated by a virus is not rare, but in encrypted form? Maybe security professionals have encountered this before, but this is the first report of this kind that I can recall.
Update: BIDMC’s statement on the breach:
Beth Israel Deaconess Medical Center (BIDMC) is in the process of notifying patients of a potential breach of protected health information as a result of the failure of a vendor to restore security controls following routine maintenance.
The computer, which was located in a locked room, stored BIDMC medical record numbers, gender, date of birth and the date and name of radiology procedures for 2,021 patients. No Social Security numbers or financial data was stored on the computer.
The computer was found to be transmitting data to an unknown location, the result of being infected by a computer virus following a routine maintenance visit.
“BIDMC takes this incident and the protection of protected health and personal information extremely seriously,” said John Halamka, MD, BIDMC’s Chief Information Officer. “We are grateful no Social Security numbers or financial information was released and apologize for the inconvenience and deeply regret any concern this situation may cause.”
“We continually test and modify systems, while aggressively enhancing practices to secure sensitive information. In this case, BIDMC shut down the computer immediately upon learning that it was infected with a computer virus. The computer was cleaned and all software re-installed to ensure the virus was no longer present. Updated security controls were also installed and activated to prevent viruses from being installed. BIDMC has also worked closely with its vendor representative to ensure that an incident such as this does not re-occur.”
Affected patients have been given access to state and federal resources, a toll-free telephone number, 877-615-3765 and one year of identity protection services, at no charge to them.
Beth Israel Deaconess Medical Center is a patient care, teaching and research affiliate of Harvard Medical School, and currently ranks third in National Institutes of Health funding among independent hospitals nationwide. BIDMC is clinically affiliated with the Joslin Diabetes Center and is a research partner of Dana-Farber/Harvard Cancer Center. BIDMC is the official hospital of the Boston Red Sox. For more information, visit www.bidmc.org.
The release inadvertently omitted that patient names were also on the computer but a hospital spokesperson confirmed that point today for me.
Update 2: In response to my inquiry about the exfiltrated data being encrypted, John Halamka, the hospital’s Chief Information Officer, explained:
The virus encrypted it, not us. The reason we are reporting it is that we are not sure that a breach occurred, but because a virus sent some data from the radiology device to some location, we wanted to be very conservative and report a possible breach.
Okay, that helps explain things. And yes, I would treat this as if a breach had occurred. I think the hospital definitely did the right thing here.