Malware Causes Breach At Cleveland's MetroHealth System
By Christine Kern, contributing writer
The breach affected nearly 1,000 heart patients over the past year.
An Agari Research report found healthcare’s security challenges are in a class of their own, and when it comes to addressing email security and threats it would be hard to do worse. Throw in the fact experts warn ransomware, spam, and phishing cyber-attacks targeted at the industry are likely to escalate this year it is obvious providers need to tighten their guard when it comes to protecting patient’s health information (PHI).
This is a lesson recently learned the hard way by Cleveland’s MetroHealth System. The healthcare provider has sent notifications to 981 patients who received heart catheterization procedures at the hospital over the past year stating their PHI may have been compromised, according to Cleveland.com.
A MetroHealth statement indicates the health system discovered malware on three computers in its Cardiac Cath Lab on March 17, and the breach affected patients who had procedures in that lab between July 14, 2014 and March 21, 2015. The malware was removed on March 18, but it took several more days to find the additional “back door” component of the virus, which was removed on March 21.
Although there is no evidence that any health information was compromised, MetroHealth is notifying patients of the breach. The investigation revealed a business associate disabled antivirus software on the affected computers in order to facilitate a software update, which then allowed the malware to penetrate the systems.
While the computers did not contain financial information, which is most valuable to cyber criminals, they did contain patient names, dates of service, birth dates, height, weight, medications administered during procedures, medical record numbers, case numbers for procedures, and cardiac catheterization raw data including EKG tracings and oxygen saturation levels.
The statement read, “MetroHealth has no evidence that the malware is used to obtain medical information. WE sincerely apologize and regret that this situation has occurred.”
As a result of the breach, MetroHealth has stated that it is strengthened procedures to protect patient privacy and revised software update procedures for the Cath Lab computers.