A cyber security breach at a third party vendor for Sentara Healthcare has compromised the records of over 5,000 patients.
The incident involves 5,454 vascular and thoracic patients seen between 2012 and 2015 at Sentara hospitals in Virginia.
Read more on WAVY. The vendor was not named, nor were many details about the nature of the breach provided in the news report. And it’s not even clear from Sentara’s statement, a portion of which is quoted below, whether they are talking about an external attack or an employee inappropriately accessing a patient database:
On November 17, 2016, in conjunction with law enforcement, Sentara Healthcare determined that one of its third party vendors experienced a cybersecurity incident. Patient information as it relates to some vascular and/or thoracic procedures that took place between 2012 and 2015 at a Sentara hospital in Virginia was inappropriately accessed. The information may have included patients’ names, medical record numbers, dates of birth, social security numbers, procedure information, demographic information and medications. This incident has and is still being investigated by law enforcement, Sentara’s Information Security team and the third party vendor.
This incident did not affect all Sentara patients, but only certain vascular and thoracic patients treated between 2012 and 2015.
We began mailing letters to affected patients on January 13, 2017, and have established a dedicated call center to answer any questions. If you believe you are affected but have not received a letter by January 29, 2017, please call 844-319-0134, Monday through Friday, from 9:00 a.m. to 9:00 p.m. EST (excluding national holidays)
We recommend that patients who are affected by this incident following the instructions on the letters they receive and remain vigilant for incidents of fraud or identity theft by reviewing account statements and free credit reports for any unauthorized activity.
As I have written about several times in the past few months, breaches involving third-party vendors or business associates are a significant risk. Such breaches accounted for a disproportionate percentage of records breached in 2016.
Eventually, I hope Sentara will clarify whether this was an external hack or a case of employee/insider-wrongdoing.