A data security incident at Shore Speciality Consultants Pulmonology Group (SSCPG) has potentially compromised the protected health information (PHI) of 10,000 patients.
SSCPG, based in New Jersey and part of the Shore Physicians Group, released a bulletin outlining the breach. According to the report, on July 8, 2019, SSCPG discovered suspicious activity on their network. IT security staff immediately took action to revoke unauthorized access and secure the account.
The breach appears to have been detected within a day of the hacker first gaining access to the networks, therefore limiting the hacker’s potential to cause damage.
SSCPG immediately launched an investigation into the breach to determine what types of information was affected and the scope of the breach. The investigators determined the server contained patient names, dates of birth, and information relating to care received. Some information regarding a sleep study was stored on the server, pertaining to a limited number of patients.
Neither Social Security numbers nor financial information was stored on the server, thereby reducing the risk of patients falling victim to identity fraud.
The investigators did not uncover evidence to suggest that the unauthorized individual copied, altered, or exfiltrated any patient information. However, the possibility of data access could not be ruled out definitively. As such, SSCPG decided to notify the 9,700 patients identified as being affected by the breach.
Following HIPAA’s Breach Notification Rule, SSCPG has sent breach notification letters to all affected patients. The group has also set up a dedicated helpline for affected patients to call to obtain more information about the breach.
In their online bulletin, SSCPG has advised patients to monitor and carefully review all statements they receive from healthcare providers and be on the lookout for signs of fraudulent activities.
SSCPG also stated that the breach had prompted them to begin ‘training staff, reviewing and revising policies and procedures, and enhancing its security against malware’ to prevent another breach of this nature from occurring.
SSCPG has not offered any information about how the unauthorized individual gained access to their server. In many cases, hackers gain access by fooling an employee into handing over their login credentials using a phishing campaign. Although this is likely what happened in the SSCPG incident, it has yet to be confirmed.