The breaches keep adding up.  Learn more about some of the most current breaches and what you can do to help protect against your health care organization.

Oklahoma State University Center breach affected nearly 280,000 patients

On January 5, the Oklahoma State University Center for Health Sciences (OSUCHS) reported a significant breach to the U.S. Department of Health and Human Services, which affected 279,865 patients.  The notification letter sent out by OSUCHS details how the breach occurred.

OSUCHS discovered the breach on November 7, 2017.  A third party gained access to folders on the OSUCHS network, which contained Medicaid patient billing information.  The next day, OSUCHS terminated the third-party access and removed the folders from the network.  Additionally, employees launched an exhaustive investigation into the incident, including hiring an independent data security firm.

OSUCHS was not able to determine if the rogue third party was able to access patient information, such as patients’ names, Medicaid numbers, dates of services, or treatment information.  However, OSUCHS also doesn’t have evidence that the information was used inappropriately.  Consequently, OSUCHS notified all affected patients by letters and a notice on the website.  OSUCHS also established a dedicated call center to field any questions patients may have.  OSUCHS stated in the letter that additional security measures have been implemented to protect patient information as much as possible.

Colorado doctor’s office hacked twice in one week

Longs Peak Family Practice (LPFP) located in Longmont, Colorado reported a security incident to the U.S. Department of Health and Human Services, which affected more than 16,000 patients.  On November 5, 2017, LPFP discovered suspicious activity on the network.  Unfortunately, this suspicious activity resulted in ransomware that encrypted specific files on the computers on the network.  On November 10, 2017, LPFP discovered additional suspicious activity that did not result in ransomware.

Consequently, LPFP hired a forensic computer team to assist in investigating both incidents.  This investigation concluded on December 5.  The team determined that there was no evidence that patient data was removed or accessed by the perpetrator(s).  However, because there was ransomware causing some files to be encrypted, LPFP reported the incident.

LPFP stated that steps have been taken to help protect patient information in the future. One of these steps includes the purchase of a new firewall.  LPFP is also re-evaluating the network configuration and policies that are currently in place, and providing additional privacy and security training to employees.

Finally, LPFP has retained AllClear ID to provide fraud protection for 12 months, at no cost, to affected patients.  Patients can also learn from AllClear ID how to protect their information on their end.


To learn more about steps you can take to protect against these types of breaches, join HIPAAgps today!