A Tennessee-based national health system announced on Monday that hackers stole data for 4.5 million patients from its computer system. This breach affects all patients from the last 5 years, and compromised names, social security numbers, addresses, birth dates and phone numbers. While no medical information was stolen, the information pilfered does identify patients and therefore constitutes Protected Health Information under HIPAA.
The hackers were based in China and used sophisticated malware to attack the health system's computers in April and June.
Fallout: Falling stock prices
Shortly after announcing the breach, the health system saw its shares dip. Between notification costs, any identity theft protection potentially offered by the company, and investigation and legal costs, the stock plunge is the tip of the iceberg when it comes to financial fallout from a breach of this size.
Breach notification is on the way
The health system reported that it will notify the 4.5 million patients about the breach. It is too soon to tell if, when, or how HIPAA penalties will be imposed. But, because this breach involves more than 500 patients, it is expected that the Office of Civil Rights will conduct an investigation into the health system's adherence to the Security Rule.
Are you at risk?
In this case, the hackers' tool was malware: something the Security Rule requires providers to address. With OCR HIPAA audits around the corner, now is a good time to review your HIPAA Security Risk Assessment and policies and procedures and determine if you have taken sufficient precautions to prevent and detect malware in your institution.