Bryan, Texas- based St. Joseph Health System is notifying patients and employees that more than 405,000 records were exposed during a two-day data security attack in mid-December.
The attack on a server began Dec. 16 and was discovered Dec. 18 by St. Joseph IT employees, who immediately took the server offline. Tim Ottinger, vice president for the regional health system, told The Eagle that the attack has been traced to China and reported to the FBI.
The exposed records included names, Social Security numbers, dates of birth, patient medical records and possibly addresses. For some affected employees, bank account information was also accessible, the hospital said in a statement on its website.
Forensic investigators were unable to determine whether the hackers extracted any of the data, but all those affected are being offered one free year of identity protection services.
The breach was the fourth largest in the past year, according to the U.S. Department of Health & Human Services' "wall of shame," which has been busy in the past month with more than 70 health data breach incidents added in January.
The number of personal health records breached rose by 138 percent in 2013, according to a report from IT security audit firm Redspin. The theft of four desktop computers from Downers Grove, Ill.-based Advocate Medical Group was the largest breach, with more than 4 million records exposed.
Most health IT executives said they feel unprepared for data breaches in a new survey from MeriTalk.
At the same time, a ruling from the Federal Trade Commission last month could mean healthcare organizations could be dinged for a breach by that agency, as well as the HHS Office for Civil Rights.
"I think the FTC is going to become a more active player where enforcement is concerned," Jeff Smith, director of federal relations for the College of Healthcare Information Management Executives, told FierceHealthIT.
To learn more:
- find the hospital's statement
- read The Eagle story