Appointment system hacks affect info of 80,000 at Emory Healthcare
A hacker demanded a ransom from Emory Healthcare in January after accessing and deleting the appointments information system of its Orthopaedics and Spine Center as well as the Brain Health Center within Emory Clinic.
The Atlanta-based healthcare system learned of the cyber attack on January 3. The organization did not say whether it paid a ransom to gain release of the information, declining to comment further beyond a statement it released this week.
In its statement, the organization indicated it’s now notifying 79,930 patients about the incident; a listing of the incident has been posted to the HHS Office for Civil Rights breach database.
The breach affects patients who had an appointment at the Orthopaedics and Spine Center between March 25, 2015, and Jan. 3, 2017, or had an appointment at the Brain Health Center between Dec. 6, 2016, and Jan. 3, 2017. Compromised data included patient names, dates of birth, contact information, medical record numbers, dates of service, physician names and whether patients required an imaging procedure.
Financial data, Social Security numbers, diagnoses and other information from the system’s electronic health records system were not affected. Emory’s statement does not mention whether affected patients will be offered identity protective services, which is typically provided when sensitive patient information is compromised. Emory’s statement emphasizes that there is no indication patient information has been inappropriately used.
Further, another unauthorized access occurred when an independent security research firm that identifies vulnerabilities notified Emery of vulnerabilities it had found in the organization so they could be remedied.
As part of its efforts to research the incident, Emory hired an independent security research firm, which subsequently found that the healthcare organization may have been victimized by another unauthorized access as a result of “vulnerabilities it had found in the organization.” No further information was available on any subsequent cyber attack, and Emory did not return calls seeking comment on the incidents.