massive phi breach medical facility

Medical Facility Discloses Massive PHI Breach: Over 181,700 Individuals Affected

June 13, 2023

A massive PHI breach at a medical facility, Commonwealth Health Physician Network-Cardiology, also known as Great Valley Cardiology, has exposed and potentially compromised confidential data belonging to almost 182,000 patients and others.

In an article posted in The HIPAA Journal, Great Valley Cardiology, a medical facility in Scranton, PA, has recently informed its current and former patients about a cyberattack and subsequent data breach that came to light on April 13, 2023. 

massive phi data breach great valley

Details of the Breach and Potentially Compromised Information

A detailed forensic study shows that the data breach at Great Valley Cardiology (GVC) included people’s names, addresses, dates, and Social Security numbers. The medical facility’s massive PHI breach also exposed driver’s license numbers and passport numbers. Banking details, medical diagnoses, prescribed medications, laboratory test results, and insurance claims information may have also been exposed.

Annmarie Poslock, Commonwealth Health spokesman, reported being informed about an incursion by the U.S. Department of Homeland Security, an organization responsible for monitoring potential cyber threats.

Moreover, Poslock explained that the unauthorized party utilizes specialized software to generate passwords until they find a successful one. She further stated that once the computer software identifies a legitimate password, the unauthorized parties employ it to gain entry into the GVC network. In cases where an unauthorized party has access to a network using genuine credentials, detecting their presence immediately within the system can often be challenging.

Poslock also reported that the GVC network is no longer accessible to unauthorized parties. It was further shared that the hackers attempted to gain entry via “brute force” methods.

protecting patients rights hipaa

Duration of the Attack and Response Measures

The hackers infiltrated Great Valley Cardiology’s systems on February 2, 2023, resulting in unauthorized disclosure of PHI, and maintained access until the systems were effectively secured on April 14, 2023.

According to the news release, the GVC group immediately took several measures in response to the PHI exposure. They disconnected their network from the Internet, disabled VPN access to prevent further breaches, and reported the incident to law enforcement.

Poslock mentioned that the investigation into the breach consisted of two stages. She explained that in the first stage, GVC enlisted the services of a forensic company to determine the files that unauthorized parties may have accessed. In the second stage, after identifying the potentially affected files, the medical practice group hired another company to conduct electronic and manual reviews.

The objective was to identify the individuals present in the affected files. GVC then undertook a process to locate and update addresses for those individuals to ensure that the notification letters reached as many involved individuals as possible via mail. Poslock emphasized that safeguarding patient information is a significant responsibility and expressed regret for any inconvenience caused to the patients in this situation.

In response to why the breach wasn’t disclosed sooner, officials stressed that a thorough two-month forensic investigation was required to identify all those affected by the incident. In the end, alerts were promptly mailed to the clients who were impacted by the Great Valley Cardiology PHI exposure. Additionally, to ensure broader awareness, ample notice regarding the breach was posted on the official website of the Commonwealth Health Physicians Network.

Medical Facility Discloses Massive PHI Breach: Over 181,700 Individuals Affected

Preventive Measures and Assurance to Affected Individuals

Given the Great Valley Cardiology PHI exposure, the medical practice group specializing in cardiology has taken steps to support its current and former patients. This includes providing them complimentary access to Experian IdentityWorks, an identity theft protection service, for 24 months. Additionally, the practice urges patients to promptly contact Experian if they suspect any fraudulent utilization of their personal information.

In light of this, safeguarding healthcare facilities against data breaches is crucial to maintaining patient privacy and data integrity. To achieve this, covered entities and their associates in business should establish robust security policies and protocols. It is also critical to regularly update these policies and conduct mandatory employee training to promote data security awareness.

Moreover, they must secure network infrastructures with firewalls, intrusion detection systems, multi-factor authentication, and encryption. It would also help to implement strict access controls and regularly update data systems to address security loopholes and vulnerabilities. Lastly, healthcare institutions should prioritize data encryption for sensitive health information. It is also a must to evaluate the security practices of third-party vendors to ensure compliance and preserve the trust of patients.

As for the said breach incident, the Pennsylvania-based medical group is currently facing a lawsuit for failing to implement adequate measures to protect its system from cyberattacks. The case was filed by attorney Andrew Ferich, who represents Michele Jarrow, one of the patients affected.

Kent Cañas

Kent is a content strategist currently specializing in HIPAA-compliant online fax. Her expertise in this field allows her to provide valuable insights to clients seeking a secure and efficient online fax solution.

More great articles
hipaa fax cover sheet
HIPAA Fax Cover Sheet Checklist for 100% Compliance

If you’re familiar with the Health Insurance Portability and Accountability Act (HIPAA), you know that it has detailed guidelines on…

Read Story
manage patient information
3 Best Ways to Manage Patient Information and Health Records

Although the digitalization of healthcare has made it easier for medical professionals to share and manage patient information, it’s not…

Read Story
best hipaa-compliant form builder is Fill
5 Best HIPAA-Compliant Form Builders of 2024: Creating Secure Forms Made Easy

Choose a HIPAA-compliant form builder like Fill for secure data collection. Learn top features, integration, and best practices for healthcare.

Read Story
Subscribe to iFax Newsletter
Get great content to your inbox every week. No spam.

    Only great content, we don’t share your email with third parties.