June 13, 2023
A massive PHI breach at a medical facility, Commonwealth Health Physician Network-Cardiology, also known as Great Valley Cardiology, has exposed and potentially compromised confidential data belonging to almost 182,000 patients and others.
In an article posted in The HIPAA Journal, Great Valley Cardiology, a medical facility in Scranton, PA, has recently informed its current and former patients about a cyberattack and subsequent data breach that came to light on April 13, 2023.
Table of Contents
Details of the Breach and Potentially Compromised Information
A detailed forensic study shows that the data breach at Great Valley Cardiology (GVC) included people’s names, addresses, dates, and Social Security numbers. The medical facility’s massive PHI breach also exposed driver’s license numbers and passport numbers. Banking details, medical diagnoses, prescribed medications, laboratory test results, and insurance claims information may have also been exposed.
Annmarie Poslock, Commonwealth Health spokesman, reported being informed about an incursion by the U.S. Department of Homeland Security, an organization responsible for monitoring potential cyber threats.
Moreover, Poslock explained that the unauthorized party utilizes specialized software to generate passwords until they find a successful one. She further stated that once the computer software identifies a legitimate password, the unauthorized parties employ it to gain entry into the GVC network. In cases where an unauthorized party has access to a network using genuine credentials, detecting their presence immediately within the system can often be challenging.
Poslock also reported that the GVC network is no longer accessible to unauthorized parties. It was further shared that the hackers attempted to gain entry via “brute force” methods.
Duration of the Attack and Response Measures
The hackers infiltrated Great Valley Cardiology’s systems on February 2, 2023, resulting in unauthorized disclosure of PHI, and maintained access until the systems were effectively secured on April 14, 2023.
According to the news release, the GVC group immediately took several measures in response to the PHI exposure. They disconnected their network from the Internet, disabled VPN access to prevent further breaches, and reported the incident to law enforcement.
Poslock mentioned that the investigation into the breach consisted of two stages. She explained that in the first stage, GVC enlisted the services of a forensic company to determine the files that unauthorized parties may have accessed. In the second stage, after identifying the potentially affected files, the medical practice group hired another company to conduct electronic and manual reviews.
The objective was to identify the individuals present in the affected files. GVC then undertook a process to locate and update addresses for those individuals to ensure that the notification letters reached as many involved individuals as possible via mail. Poslock emphasized that safeguarding patient information is a significant responsibility and expressed regret for any inconvenience caused to the patients in this situation.
In response to why the breach wasn’t disclosed sooner, officials stressed that a thorough two-month forensic investigation was required to identify all those affected by the incident. In the end, alerts were promptly mailed to the clients who were impacted by the Great Valley Cardiology PHI exposure. Additionally, to ensure broader awareness, ample notice regarding the breach was posted on the official website of the Commonwealth Health Physicians Network.
Preventive Measures and Assurance to Affected Individuals
Given the Great Valley Cardiology PHI exposure, the medical practice group specializing in cardiology has taken steps to support its current and former patients. This includes providing them complimentary access to Experian IdentityWorks, an identity theft protection service, for 24 months. Additionally, the practice urges patients to promptly contact Experian if they suspect any fraudulent utilization of their personal information.
In light of this, safeguarding healthcare facilities against data breaches is crucial to maintaining patient privacy and data integrity. To achieve this, covered entities and their associates in business should establish robust security policies and protocols. It is also critical to regularly update these policies and conduct mandatory employee training to promote data security awareness.
Moreover, they must secure network infrastructures with firewalls, intrusion detection systems, multi-factor authentication, and encryption. It would also help to implement strict access controls and regularly update data systems to address security loopholes and vulnerabilities. Lastly, healthcare institutions should prioritize data encryption for sensitive health information. It is also a must to evaluate the security practices of third-party vendors to ensure compliance and preserve the trust of patients.
As for the said breach incident, the Pennsylvania-based medical group is currently facing a lawsuit for failing to implement adequate measures to protect its system from cyberattacks. The case was filed by attorney Andrew Ferich, who represents Michele Jarrow, one of the patients affected.
