Unauthorised Individual Gains Access to St. Francis Health System Patient Data
The Bon Secours St. Francis Health System has announced that unauthorised individual gained access to some of their patients’ protected health information (PHI).
The hacker compromised the systems of Milestone Family Medicine, a medical facility based in Greenville, SC. Milestone Family Medicine was affiliated with St. Francis Physicians Services (SFPS) until February 24, 2019.
SFPS officials learned of the breach on January 4, 2019. The organisation immediately took steps to revoke the unauthorised individual’s access and secure the systems. SFPS hired a third-party computer forensics firm and launched an investigation into the breach. The investigators discovered that one of the breached servers stored the PHI of a limited number of patients.
The hacker targeted the EHR systems that they could access over the Internet. To mitigate the risk of another breach of this type occurring, Milestone Family Medicine has closed off internet connections providing access to systems that are not actively being used.
Milestone Family Medicine has stated that the types of information that individual may have accessed include names, addresses, dates of birth, health insurance information, Social Security numbers, and information related to the medical services provided to patients.
Only patients that have received medical services at Milestone Family Medicine were affected by the breach; the hacker did not access other SFPS systems. Following HIPAA’s Breach Notification Rule, Milestone Family Medicine is sending breach notification letters to affected individuals. SFPS has offered complimentary credit monitoring and identity theft protection services.
The Department of Health and Human Services’ Office for Civil Rights have yet to post details about the breach on their website. Therefore it is difficult to know how many patients were affected by the breach.
Milestone Family Medicine has stated that they have not seen any evidence that the hacker has misused patient data. However, out of an abundance of caution, the organisation recommends that affected patients monitor their accounts for suspicious activity. Any signs of fraud should be reported to the relevant authorities.
SFPS has said technology management and information security risk oversight are being enhanced to prevent any further breaches of PHI and that the decision to end the affiliation with Milestone Family Medicine was not related to the breach.