Advantage Dental of Redmond, OR, has announced that hackers have successfully infiltrated its computer systems and have potentially accessed the records of over 151,000 of its patients, according to a report in the Portland Tribune.
The Oregon-based company, which primarily provides dental services for low-income patients and operates more than 30 clinics throughout the state, discovered that hackers had gained access to its internal computer systems and patient database over a period of three days between Feb 23 and Feb 26, 2015.
In accordance with HIPAA Security Rule Technical Safeguards, Advantage Dental had implemented a system which monitored access to the PHI of its patients, and that intrusion detection system identified individuals had accessed the Protected Health Information of its patients. Access to the data was quickly shut down but the company determined that during that time, names, addresses, phone numbers, dates of birth and Social Security numbers were accessed. No financial information, payment details or healthcare data was exposed in the incident as this information was stored in a separate database.
While HIPAA covers Protected Health information, which primarily concerns medical and dental records, personally identifiable information is also included under HIPAA and is classed as PHI if it can be linked to an individual. Since Social Security numbers were exposed along with names and contact information, this is a HIPAA breach and is reportable to the Department of Health and Human Services’ Office for Civil Rights.
The company is bound by HIPAA Breach Notification Rules and must issue notification letters to all individuals affected by the breach to alert them to the fact that their personal information has potentially been compromised to enable them to take action to mitigate any risk. Advantage Dental is assisting its patients in this regard, again a requirement of HIPAA, by offering Experian credit monitoring services to those affected. The company has also agreed to cover the cost of the credit agency’s premium product, ProtectMyID Elite, for a period of two years.
Following an internal investigation, Advantage was able to determine that the records of 151,626 customers had been affected by the malware-related incident, according to a Bend Bulletin report. At this stage of the investigation the company does not believe that any of the information obtained by the thieves has been used to commit medical or identity fraud. The incident has been reported to the Oregon Attorney General’s office, the Oregon State Police and the U.S. Secret Service, although it is not clear whether the OCR has yet been notified. The company has 60-days in order to make the breach report.
Advantage Dental’s HIPAA Compliance Manager, Jeff Dover, was quick to highlight the effectiveness of its intrusion detection system in limiting the damage caused. In many cases, as with the recent mega-data breaches at Premera Blue Cross and Anthem, hackers who are able to infiltrate healthcare computer systems are given weeks, months and sometimes years to access, copy and use PHI without detection. Dover advised the press that its hacking incident was identified and resolved “comparatively quickly”.
Access was gained via malware which had managed to escape detection by the company’s anti-virus software. The malware obtained the login credentials of a member of staff which was subsequently used to access its membership database. The healthcare provider has approximately 250,000 customers throughout the state, although its total database contains the records of close to 1.5 million individuals, although it appears that only a small proportion of these individuals have been affected.
Advantage took prompt action to shut down access and the healthcare provider has already taken steps to prevent future breaches from occurring. It is now restricting external access to its database and is now only permitting access via its internal network.
This is the second breach to hit an Oregon healthcare provider in just a few days. Bend Bulletin reports that Mosaic Medical, a central Oregon clinic, was also successfully hacked this month. That incident resulted in the data of 2,200 patients being exposed, which included personal identifiers as well as insurance information.