An employee’s computer is hacked at a Milwaukee-based health center, exposing 43,000 records

15 February 2013

A hacker may have recently gained access to an employee’s work computer account at Milwaukee-based Froedtert Health, putting the personal information of roughly 43,000 patients at risk, according to a Milwaukee Journal Sentinel report.

The breach, the health system announced this week, initially was discovered by hospital officials two months ago, on Dec. 14, 2012; it was not revealed when the breach actually took place.

There is speculation that a computer virus enabled the access, although the hospital says that it found no evidence that an unauthorized person actually accessed any personal or medical information.

An outside computer forensics company hired to investigate the matter “could not definitively rule out the possibility that the virus was able to obtain information stored in the employee’s work computer account,” the announcement said. “A file in the employee’s work computer account contained some patients’ information, including names, addresses, telephone numbers, dates of birth, medical record numbers, names of health insurers, diagnoses” and other clinical information.

Social Security numbers also may have been put at risk, according to the hospital, although it said no financial information was stored on the computer.

“Protecting the privacy and confidentiality of the personal information we maintain always has been one of our highest priorities,” said the hospital, which set up a call center for patients with questions about the breach. “Unfortunately, such computer attacks are increasingly common, affecting organizations worldwide.”

A report published this week by IT security audit firm Redspin revealed that in 2012, 38 percent of all large-scale healthcare data breaches–those that impact 500 or more individuals–occurred on a laptop or other portable device. The updated HIPAA regulation, unveiled last month, increased fines for data breaches to as much as $50,000 per episode in cases of “willful neglect” of information without correction, and $1.5 million for multiple violations of identical incidences.

Article Sourced From: