St. Peter’s Surgery & Endoscopy Center in New York was attacked by malware that resulted to giving hackers access to the healthcare data of about 135,000 patients. This is the second largest healthcare data breach that occurred in New York in 2018 and the fifth largest since October 2009 when the Department of Health and Human Services’ Office for Civil Rights began publishing data breach summaries. The largest data breach in New York happened on August 2016 where 3,466,120 patient records at Newkirk Products, Inc were compromised.
St. Peter’s Surgery & Endoscopy Center discovered the data breach on January 8, 2018, exactly on the same day the hackers accessed the server. Since the malware attack was detected early, the hackers only had little time to access the server. This prevented them from viewing or copying patients’ data. No evidence would suggest that there was indeed data access or data theft, but this conjecture is not 100% sure.
According to St. Peter’s Surgery & Endoscopy Center’s substitute breach notice, the servers of St. Peter’s Hospital and Albany Gastroenterology Consultants are different from the Surgery & Endoscopy Center’s servers. Hence, the PHI stored in the hospital and Albany Gastroenterology Consultants were not compromised during the malware attack. The only PHI exposed belongs to patients who visited St. Peter’s Surgery & Endoscopy Center for consultation and treatment. The center already mailed breach notification letters to the affected patients on February 28, 2018. The HHS’ Office for Civil Rights also received a report on the incident.
The incident report indicated that the following information were potentially accessed or copied: patient’ names, dates of birth, addresses, dates of service, diagnosis, procedure and insurance information. The Medicare information of some patients may have been exposed, but not the social security numbers or banking or credit/debit card information of patients. St. Peter’s Surgery & Endoscopy Center already offered the patients whose Medicare information had been exposed a year of free credit monitoring and identity theft protection services. All patients were also requested to check their health insurance billing statements for fraudulent transactions.
The investigation did not give any information as to the exact nature of the malware attack. Nevertheless, the center already took the necessary action to bolster security. They further trained the employees and bought the necessary software programs including anti-virus and anti-malware.