Decatur County General Hospital warns 24K patients of data breach involving EHR server

Security lock on computer data
Decatur was notified about the attack in November by its EHR vendor CPSI. (Getty/gintas77)

A community hospital in Tennessee is warning 24,000 patients their information may have been exposed last year during a cyberattack linked to its EHR system.

The attack involved unauthorized software installed on a server that hosts Decatur County General Hospital’s (DCGH) EHR system, according to a letter (PDF) sent to patients impacted by the incident. The notice said the software was installed to generate cryptocurrency but did not specify whether it was part of a ransomware attack.

DCGH was notified about the software by its EHR vendor, Computer Programs and Systems, Inc. (CPSI), which supports the server on behalf of the hospital. CPSI notified the hospital about the incident on Nov. 27, but a subsequent investigation by the DCGH found the software was installed at least as of Sept. 22. CPSI replaced the server four days later, according to the notice.

RELATED: Physician practices report lost revenue and patient care disruptions following Allscripts ransomware attack

DCGH reported the incident to HHS on Jan. 26, the same day it notified patients about the breach. The hospital did not respond to a request for comment.

“Following receipt of the incident report, we began our own investigation into the incident,” the letter stated. “At this time, our investigation continues, but we believe an unauthorized individual remotely accessed the server where the EMR system stores patient information to install the unauthorized software.”

CPSI’s chief marketing officer, Tracey Schroeder, told FierceHealthcare the company notified the hospital about the issue, but said the incident had “nothing to do with CPSI.” She said CPSI supports a server housed at the hospital but doesn’t manage the hospital’s firewalls. She declined to provide further details about the incident without approval from DCGH.

DCGH's letter stated the hospital has no evidence patient information was acquired or viewed, but the investigation “has been unable to reasonably verify that there was not unauthorized access of your information.”

Ransomware attacks have plagued hospitals and EHR vendors since the beginning of the year. Notably, provider EHR and billing systems were knocked offline last month after Allscripts was hit with a ransomware attack. The EHR vendor is now facing a class action lawsuit from providers impacted by the outage.