Reposted from HealthData Management – March 25, 2015 By Joseph Goedert
Advantage Dental, serving more than 200,000 residents across Oregon through 30 clinics, notified 151,626 patients of a breach of protected health information within 30 days after an internal database was hacked.
The intruder accessed the database through a computer infected with malware, says Jeff Dover, compliance manager. The access initiated on February 23 and was discovered on February 26 when access was terminated.
The organization’s information technology staff conducted the forensics and remediation activities in-house, which reduced costs and aided in being able to issue notifications fast, according to Dover. “The database held 1.5 million records and they got 10 percent because it was caught quickly.”
Compromised information included name, date of birth, phone number, Social Security number and home address. No treatment or financial information was accessed, and Advantage Dental has no evidence to date that the compromised information has been used for criminal activity. Affected patients are being offered two years of credit monitoring and identity theft protection services from Experian.
Even though Advantage Dental did not have to contract for outside help, the organization learned that the cost to recover still was higher than envisioned and other providers have to ready for that revelation, Dover says. “You don’t realize how many records are at risk and what insurance really covers.” An organization may have 50,000 current records, but if it has been in business for a decade or two, it has many multiples of more records still in the database.
During the forensics investigation, staff did not find a string of web address that could aid in identifying where the attack originated, but Dover speculates the malware could have come in via an advertising banner.
The employee on the computer at the time of infection had not been on email or on Web sites that should not have been visited. Data in transmit in the organization has been encrypted; for security reasons Dover would not discuss database security measures employed before the attack and enhanced measures since added.
Among new policies enacted is a prohibition on personal Web surfing on any company computer. “You can go to Yahoo, but it better be something to do with the business,” Dover says.