Sentara Healthcare: Investigation into Data Breach

Sentara Healthcare is currently carrying out an investigation into a data breach affecting one of its 3rd-party vendors which allowed a number of patients’ protected health information to be accessed by an unauthorized person. Sentara Healthcare was alerted to a possible ePHI breach by police officers on the 17th of November 2016. An internal investigation was promptly begun in order to identify the origin of the breach. Investigators were led to one of Sentara Healthcare’s vendors.

The twelve-hospital healthcare system’s vendor is not involved in the healthcare of patients. The company’s role is to furnish data together with benchmarking services. At present, no additional details about the vendor or the origins of the breach have been made public. It remains unknown whether a hacker obtained access to the vendor’s systems or if data was in fact inappropriately accessed and stolen by a rogue employee of the company.

It has been confirmed that some 5,454 thoracic and vascular patients, who were treated at Virginia hospitals run by Sentara Healthcare between 2012 and 2015, have been affected by the breach and their ePHI has been put at risk. Data which may have been copied by the wrong-doer includes patients’ full names, Social Security numbers, information concerning their demographics, birth-dates, medical record numbers, clinical information, medical procedures, and medications prescribed to them.

Patients were informed of the breach by letter in early January 2017 and an offer of one year’s membership of a free credit monitoring and identity theft resolution service has been made to them as a precaution against identity theft. If any patient believes their personal information has been inappropriately used, he or she is entitled to assistance in recovering their identity.

The investigation by the Sentara Healthcare’s IT security team is ongoing. The team is said to be working closely with law enforcement and the vendor concerned. Sentara Healthcare has stated that the vendor will implement additional controls in order to enhance data security and prevent any repeat in the future.