June 23, 2023
In recent news, Senior Choice, Inc. and Williamsport Homes, both located in Pennsylvania, fell victim to a data breach on April 20, 2023. These reports of cyberattacks on residential care facilities highlight the importance of protecting sensitive health information and the need to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements.
Table of Contents
Williamsport Home Cyberattack
The cyberattack on Williamsport Home, a continuing care retirement community, was detected on April 24, 2023, when suspicious activity affecting business operation systems was discovered. Immediate action was taken to contain the situation and secure the computer systems. While the breach did not compromise the systems directly responsible for resident care, it did expose protected health information stored within the affected business systems.
Senior Choice Inc. Cyberattack
Similarly, the Senior Choice Inc. breach was due to a cyberattack that happened on the same date. Senior Choice manages three residential care facilities: The Atrium at 216 Main St., Johnstown, PA; Beacon Ridge at 1515 Wayne Ave., Indiana, PA; and The Patriot at 495 W Patriot St., Somerset, PA. The detection of unauthorized access and system compromise prompted immediate measures to safeguard their internal systems.
Breach Investigations Underway for Williamsport Homes and Senior Choice Cyberattacks
The breach investigation in the residential care facilities is still ongoing. So far, the evidence shows unauthorized access to Senior Choice’s and Williamsport Homes’ internal systems for business operations from April 18, 2023 to April 24, 2023. According to the Senior Choice and Williamsport Homes press releases, no evidence suggests the cyberattack impacted software systems directly involved in resident care. The exact extent of both cyberattacks is yet to be determined, and individuals potentially affected are advised to remain vigilant against identity theft and fraud.
The residential care facilities advised their clients that the following electronic protected health information (ePHI) may have been compromised during the attacks:
- birth dates
- admission dates
- discharge dates
- death dates
- medical record numbers
- provider or facility name
- medical condition
- diagnosis and/or treatment information
- lab results
- payment amount history
- insurance payment amount
- date of service
- Social Security numbers
- financial accounts
- credit card numbers
- medical information
- health insurance information
- driver’s license
- state identification numbers
- passport numbers
- any other data created, used, or disclosed while providing health care services
In response to the cyberattacks, both Senior Choice and Williamsport Homes are taking proactive steps to strengthen their security infrastructure. The facilities have provided notice to all individuals who might be affected. They have also conducted comprehensive investigations, engaging leading industry professionals in data privacy and security. These experts are at the investigation’s forefront and liaise with the relevant government agencies and law enforcement.
Complying With HIPAA Prevents Residential Care Facilities Cyberattacks
Complying with HIPAA regulations is critical in the residential care sector. HIPAA requirements aim to safeguard patients’ PHI from unauthorized access and ensure their privacy and safety. Failure to comply with these regulations can result in severe penalties and irreparable reputational damage.
The Williamsport Homes and Senior Choice cyberattacks highlight the vulnerabilities that residential care facilities face as the healthcare industry becomes increasingly digitized. The compromised ePHI raises concerns about privacy and the potential misuse of personal data. These incidents reinforce the need for heightened security measures and continuous monitoring to protect sensitive information.
Strengthening Security: Implementing Technical Safeguards in Residential Care Facilities
Senior Choice and Williamsport Homes are strengthening their technical safeguards to prevent future breaches. Technical safeguards protect clients’ ePHI. The appropriate policies and procedures should include the following standards:
- controlled access to ePHI,
- continuous recording and examination of information system activity to determine security violations,
- regular risk assessments,
- proper ePHI alteration and destruction, and
- comprehensive HIPAA training programs
Applications of these standards include:
- encryption and decryption methods,
- data or message authentication codes,
- automatic logoffs,
- emergency access procedures,
- audit reports, and
- user authentication methods such as biometrics or smart cards.
These measures are stringent and require thorough and detailed security protocols. They should also employ HIPAA-compliant technology such as secure email, websites, and online faxes. Healthcare facilities must be willing to invest substantially in human and financial resources to comply with HIPAA requirements. However, doing so will prevent more considerable losses in the future, aside from protecting residents’ health information.
The cyberattacks on Senior Choice and Williamsport Homes are a stark reminder of the ever-present cybersecurity threats residential care facilities face. Complying with HIPAA requirements and implementing strong technical safeguards are vital for protecting sensitive information and maintaining the trust and well-being of residents. These incidents should spark a renewed commitment within the industry to fortify security measures, ensuring that residents can continue to receive high-quality care and services in a safe and protected environment.