Website upgrade leaks nearly 9,000 records at Illinois hospital as hacking incidents mount in August

Security Breach
A data breach at Silver Cross highlights the importance of security controls among business associates.

A vendor-initiated software upgrade may have exposed the personal information of nearly 9,000 patients at Silver Cross Hospital outside of Chicago, underscoring privacy and security impact third-party associates can have on providers.

Silver Cross discovered the breach in June, seven months after the vendor that runs the hospital’s website upgraded its software, which reconfigured the security settings, according to a letter that went out to patients affected by the breach. Data submitted through forms on the hospital’s website were “potentially made available on the internet,” according to the hospital.

Silver Cross reported the breach to the Office for Civil Rights on Aug. 11. The compromised information includes personal information as well as Social Security numbers health insurance numbers and information pertaining to mental health conditions. The letter to patients did not name the vendor involved.

“The incident was limited to the data hosted by the vendor, and Silver Cross’s own network and patient records systems were not affected,” the hospital wrote.

RELATED: The healthcare data breach that took 14 years to uncover

The incident highlights the impact vendors and business associates can have for healthcare providers that are required to report data breaches that involve more than 500 patients. In June, Anthem reported a data breach that exposed 18,500 members after an employee at a third-party analytics company was discovered improperly emailing member records.  

The Silver Cross breach is buried among a slew of hacking incidents throughout the month of August. Over the past month, two providers have reported hacking incidents exceeding 100,000 patient records. McLaren Medical Group reported information for approximately 106,000 patients had been compromised due to unauthorized access of the computer system within the provider’s radiology center.

RELATED: Healthcare data breaches haven’t slowed down in 2017, and insiders are mostly to blame

Pacific Alliance Medical Center also reported a malware attack that may have compromised more than 266,000 patient records.

A mid-year report of healthcare data breaches indicates the number of incidents in 2017 is set to outpace the previous year. Hacking incidents are up 20%, but insiders still play a predominant role in breach incidents.