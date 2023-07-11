BAR HARBOR — Approximately 24,000 patients who received care at Mount Desert Island Hospital, its nine heath centers or its handful of specialty clinics between January 2018 and May 3 of this year received a letter from the hospital last week alerting them of a cyber security breach.
On May 4, the Information Technology Department at the hospital noticed some irregularities in the hospital’s internal systems that signaled an intrusion, according to hospital CEO Chrissi Maguire. Within a half hours’ time, the IT department was able to shut down the attack, and the hospital never lost control of the entire system.
While the would-be attackers, who are believed to have been in either India or eastern Europe, did not access the Electronic Medical Records platform, they were able to access secure data on an internal drive used by hospital employees to store other types of personal patient information.
Whenever two identifying bits of information related to a patient are revealed, it results in a violation of Health Insurance Portability and Accountability Act (HIPAA) law and must be reported.
HIPAA sets federal standards to protect a person’s confidential health information. The combination of a person’s name and the date of visit would be considered two pieces of information that constitute a HIPAA violation.
According to the letter sent to patients and signed by Maguire, patient information that could have been affected include address, date of birth, driver’s license/state identification number, Social Security number, financial account information, medical record number, Medicare or Medicaid identification, diagnosis code information, admission/discharge date, prescription information, billing/claims information, personal representative or guardian name or health insurance information.
Once the breach was closed, said Maguire, the hospital began to sift through the compromised files to determine its scope. Hospital staff contacted the Office of Civil Rights, which oversees HIPAA law, to report the problem.
From there, the hospital was given additional help and resources from the Federal Bureau of Investigations, which must be notified if it is believed that more than 500 people would be affected by such a breach. Currently there are hundreds of open FBI investigations regarding health care facilities across the country.
MDI Hospital also retains cybersecurity insurance and that third-party brought in resources including legal and forensic experts who have helped to navigate the breach and the next steps.
By law, all affected parties must be notified within 60 days, which resulted in the June 30 letter from the hospital. It took that much time, said Maguire, to review the data, determine the scope and to make sure that the correct people were sent letters.
Not all patients of the hospital, clinics and practices were affected, she said, noting that it was intentional who was contacted. “In fact, by law,” said Maguire, “we can’t send out a blanket mailing to all patients.”
In all, it is estimated that there were 60,000 patient visits during the four-and-a-half-year period now believed to be at risk of compromise, but data from all those visits are not believed to have been revealed.
“Protecting patient privacy is at the top of what we do,” said Maguire.
And while hospitals, including MDI Hospital, devote significant resources to IT security both internally and externally, cases of health care hacking are ticking upward.
According to the federal Office of Information Security, more than 50 million health records were exposed to hackers in 2022 and the number of breaches has doubled in the last three years alone. The most significant breaches can result in a takeover of a system, with the intention of ransoming the data and preventing the system owner from accessing the needed records to continue operation.
Maguire said that the hospital and its partners are continuing to investigate the breach and update patients with new information. In the meantime, anyone affected will be given 12 months of credit monitoring and identity protection services.
“So far, we haven’t learned of any fraud associated with this,” said Maguire, adding that people are enrolling in the monitoring services.
To access the services, contact the assistance line at (888) 220-4877 Monday through Friday from 9 a.m. to 9 p.m., or follow the prompts at the top of the letter. The hospital has created a webpage with information that can be accessed from its homepage or at www.mdihospital.org/notice-of-data-security-incident.