A Nebraska-based medical supply company discovered a HIPAA breach that affected more than 21,000 patients.

CBS Consolidated, Inc., also known as Cornerstone Business & Management Solutions recently discovered a hacking incident while reviewing logs.  The discovery was made July 10, 2017, when Cornerstone found an unfamiliar account.

While looking into the account, Cornerstone noticed that information stored on their server was being downloaded.  Downloaded information included patient information, such as names, dates of birth, and insurance information, which may potentially carry Social Security Numbers.

Cornerstone stated that the downloaded information did not contain checking or credit card information.

Once the rogue account was discovered, Cornerstone immediately locked the server and isolated it on the network.  Cornerstone is still investigating the incident to determine how this rogue access was obtained and to determine if other safeguards need to be implemented.

Cornerstone is offering 12 months of free credit monitoring to all patients who were affected by this incident.


This case outlines why regular reviews of audit logs and monitoring are important aspects of HIPAA compliance.

Remember: Audit controls are a requirement for HIPAA compliance.

Often, organizations are notified by external people about a breach, whether that’s a patient or the FBI who notifies them. Reviewing logs will allow you to find the anomalies much quicker, and reduce the impact. Page 10 of the 2017 Ponemon Institute report provided information on how costly data breaches can be.  The more records that are lost, or downloaded, the higher the cost of the breach will be.  So, the longer the hacker has access to patient information, the longer he or she will be able to download information, making it more costly over time. So, catch hackers early by regularly monitoring and auditing your servers.

Also, if you are a covered entity, this is a great reminder to check in with your business associates on a regular basis to ensure they are doing everything they can to protect your patients’ health information.  Remember, you can be held responsible if your business associate experiences a HIPAA breach, which could mean monetary fines for you. Don’t risk it! At HIPAAgps, we have tools that can help you monitor your business associates’ practices to track how they are adhering to the HIPAA standards. Find out more about our services here.