HENDERSON — A data breach involving a third-party medical records vendor exposed the personal and health information of patients at two Deaconess Health System hospitals in Western Kentucky, the Evansville-based health system disclosed nearly two months after the breach itself occurred.
The breach did not affect Deaconess’s internal computer systems or its electronic medical records platform, a company official stated in a news release. Instead, the exposure reportedly affected a file-sharing platform utilized in release of information requests and managed by MRO Corp., a Pennsylvania-based health care data firm.
The requests, often referred to by the abbreviation “ROIs,” allow health care providers to share sensitive patient information with third parties with a patient’s authorization.
Patients of Deaconess Henderson Hospital and Morganfield’s Deaconess Union County Hospital are among those affected, along with patients from surrounding clinics whose data were subject to an ROI request.
“On Feb. 2, MRO notified Deaconess of a data security incident that involved some Deaconess patient information related to ROI requests,” the hospital system stated in a news release. “Deaconess began an investigation in coordination with MRO, which determined that an unauthorized actor accessed MRO’s cloud-based file sharing platform and downloaded files on Jan. 13.”
Deaconess did not disclose how many patients were affected. After the initial publication of this article, an MRO Corp. spokesperson disputed Deaconess officials’ characterization of the breach. MRO Corp. Senior Brand Manager Nicole Hoy stated the assertion that “an unauthorized actor accessed MRO’s cloud-based file sharing platform” was “false.”
“The MRO platform was not accessed,” Hoy said, adding that systems managed by MRO Corp. subsidiary MediCopy likewise were “not accessed.”
On Friday, Deaconess stood by its characterization of the breach. In a statement to the Courier & Press, a spokesperson said the breach affected a “Box instance” – referring to file sharing software – that was “controlled and managed by MRO.”
“Deaconess understands that MRO and MediCopy’s internal systems were not involved in this incident and the press release does not claim otherwise,” the statement concluded.
The data accessed by the unnamed “unauthorized actor” is potentially among the most sensitive a health care provider would hold. Depending on the individual, exposed records may have included Social Security numbers, full names, dates of birth, medical record numbers, dates of service, health insurance identification numbers and medical records related to treatment received at Deaconess facilities, according to the health system.
The combination of Social Security numbers and detailed medical records creates significant risk for identity theft, insurance fraud and the unauthorized disclosure of private health information, according to data security experts.
Deaconess said it has reported the incident to “the relevant agencies” but did not specify which ones. Federal law requires health systems operating under the Health Insurance Portability and Accountability Act to report breaches affecting 500 or more individuals to the U.S. Department of Health and Human Services’ Office for Civil Rights, among other notification requirements.
In its release, Deaconess said MRO Corp. has implemented additional security measures on its file-sharing platform following the breach. The health system said it is mailing notification letters to affected patients and offering complimentary credit monitoring and identity protection services.
Patients can also contact a dedicated call center Deaconess established for questions about the incident at 1-844-558-4567. The line is available Monday through Friday, 8 a.m. to 8 p.m. Central Time excluding holidays.
Deaconess said it “takes this incident very seriously and sincerely regrets any concern this may cause.”
The breach highlights a growing vulnerability in health care security. As medical records management systems shift from paper documents to digital systems, the exposure of patient data through breaches targeting a web of third-party vendors tasked with handling sensitive information has become more common. In recent years, third-party vendor breaches have accounted for an increasing share of health care data incidents nationwide, often affecting patients who have no direct relationship with, or awareness of, the companies holding their data.
Last year, the cybersecurity firm Black Kite reported that the health care industry accounted for approximately 41% of all third-party data breaches — more than any other industry.
“This dominance is attributed to the high value of patient data, operational dependencies on third-party providers and the sector’s inherent vulnerabilities,” Black Kite reported.
Deaconess Health System serves a regional population of more than 1.5 million people across southwestern Indiana, western Kentucky and southeastern Illinois. The health system includes 22 hospitals. While the affected facilities are in Kentucky, many patients in the Tri-State region receive care at Deaconess’s Kentucky campuses.
Patients who believe their information may have been involved are encouraged to monitor their credit reports and account statements for signs of unauthorized activity. Free annual credit reports are available at AnnualCreditReport.com. Patients who receive notification letters from Deaconess should retain them and follow the instructions for enrolling in the offered credit monitoring services.
Houston Harwood be contacted at houston.harwood@courierpress.com.
This article originally appeared on Evansville Courier & Press: Deaconess patients’ sensitive data stolen in vendor breach
Reporting by Houston Harwood, Evansville Courier & Press / Evansville Courier & Press
USA TODAY Network via Reuters Connect
