FBI alerts Owensboro Health to Breach at Muhlenberg Hospital; Breach Began in January, 2012
The breach in question may have begun in January, 2012, years before OH Muhlenberg acquired Muhlenberg Community Hospital, but it potentially impacted all patients, all payment guarantors, employees and some credentialed providers after that date and before OH Muhlenberg learned of the breach and contained it. This incident does not yet appear on HHS’s public breach tool, so the number potentially impacted is not known as of the time of this posting. Update: The breach impacted 84,681 patients.
OH Muhlenberg, LLC issued the following press release today:
Today, OH Muhlenberg, LLC announced that its hospital located in Greenville, KY, has experienced a security incident affecting some of the hospital’s computers. The hospital is providing notice to individuals that may have been affected by the incident and offering one year of complimentary identity protection services to those individuals. The hospital regrets any inconvenience or concern this incident may cause.
OH Muhlenberg, LLC acquired the Muhlenberg Community Hospital operations on July 1, 2015. Prior to that time, the hospital had been owned and operated by Muhlenberg Community Hospital since 1938. As part of the acquisition, OH Muhlenberg, LLC acquired substantially all of the assets of the hospital in Muhlenberg, including its computer systems, patient records and other records.
On September 16, 2015, the Federal Bureau of Investigation (FBI) notified the hospital of suspicious network activity involving third parties. Upon learning this information, the hospital took immediate action, including initiating an internal investigation and engaging a leading digital forensics and security firm to investigate this matter. Based upon this review, the hospital confirmed that a limited number of computers were infected with a keystroke logger designed to capture and transmit data as it was entered onto the affected computers. The infection may have started as early as January 2012.
The hospital understands the importance of protecting the privacy and security of its providers’, patients’ and employees’ information. Upon learning of the incident, the hospital took prompt steps to address and contain it, including immediately blocking the external unauthorized IP addresses, taking steps to disable the malware and continuing to enhance the security of its systems moving forward.
The affected computers were used to enter patient financial data and health information, information about persons responsible for a patient’s bill and employee/contractor data, including potentially name, address, telephone number(s), birthdate, Social Security number, driver’s license/state identification number, medical and health plan information (such health insurance number, medical record number, diagnoses and treatment information, and payment information), financial account number, payment card information (such as primary account number and expiration date) and employment-related information. Additionally, some credentialing-related information for providers may be impacted. The hospital also believes that the malware could have captured username and password information for accounts or websites that were accessed by employees, contractors or providers using the affected terminals. The hospital has no indication that the data has been used inappropriately.
However, out of an abundance of caution, OH Muhlenberg, LLC is providing notice to individuals whose information was maintained in the hospital’s electronic patient records database; persons employed by or contracted for specific services by the hospital on and after January 1, 2012; as well as providers who were credentialed or re-credentialed for privileges at the hospital in 2012.
More information for potentially affected individuals, including on ways to help protect themselves, is available on the hospital’s website: www.owensborohealth.org/muhlenbergprivacy. Affected individuals with questions should call 877-271-1568 from anywhere within the United States or at 503-520-4450 from outside the United States (tolls may apply), Monday-Friday, from 9 a.m. – 9 p.m. EST.
Owensboro Health Muhlenberg Community Hospital is a 135-bed, acute care hospital committed to healing the sick and improving the health of the communities we serve. Now part of Owensboro Health, the hospital has been the healthcare leader in the community for more than 78 years. Services include acute care, surgery, a long term care facility, home health, Rapid Care, Pain Management Center, Wound Care Center, rehabilitation services, sports medicine, emergency services, Occupational Health Screening Center, one of two Coal Miners’ Respiratory Clinics in Kentucky, and a Sleep Lab. The hospital has over 500 staff members, two specialists and five family and internal medicine practices. Visit: www.owensborohealth.org for additional information.
SOURCE: Owensboro Health