Hospitals, Health IT, Legal

Data breaches at UPMC, Nebraska Medicine affect 250,000+ individuals

Providers are the most common targets for cyber criminals attacking the healthcare industry, and now, two major health systems have added their names to the list of recent data breach victims. The recently divulged information breaches affected 255,000 individuals.

Even as the novel coronavirus was raging in the U.S. last year, providers were concurrently fighting a different scourge: hackers. 

Several major providers experienced IT incidents in 2020, including the 26-hospital Universal Health Services and University of Vermont Medical Center. Last week, Pittsburgh-based UPMC and Omaha-based Nebraska Medicine announced that they too are on the list.

It’s not just providers who are targets.

Charles J. Hilton & Associates P.C. — which provides billing-related legal services to UPMC — alerted the health system that the personal data of more than 36,000 of its patients may have been compromised due to an information security breach. The company determined that hackers had logged into several of its email accounts between April 1 and June 25. The accounts contained various types of information, including Social Security numbers, dates of birth, bank or financial account numbers, insurance information as well as information related to diagnoses, treatments and medications.

The incident did not affect UPMC’s EHR or other computer systems, and there is no evidence that the data was misused, according to a notice issued by UPMC. Charles J. Hilton & Associates is offering credit monitoring and identity protection services to all individuals whose data was impacted.

Similarly, Nebraska Medicine and the University of Nebraska Medical Center discovered that an unauthorized party gained access to its shared network between Aug. 27 and Sept. 20, 2020. The unauthorized party deployed malware and acquired copies of some patient and employee information, including names, addresses, insurance information and clinical information. The Social Security numbers of some patients were also impacted.

sponsored content

A Deep-dive Into Specialty Pharma

A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.

In all, the data breach affected approximately 219,000 individuals.

The unauthorized party did not gain access to Nebraska Medicine and University of Nebraska Medical Center’s EHR app, and there is no evidence that any of the impacted data has been used fraudulently, the organizations said. But they are providing complimentary credit monitoring and identity theft protection services to all individuals whose Social Security numbers or driver’s license numbers were accessed.

“It is an unfortunate reality of our digital age that ‘bad actors’ are a constant threat to healthcare,” said Nebraska Medicine CEO Dr. James Linder in a news release. “Every major healthcare entity faces the same challenge, and we have seen many healthcare systems, businesses, and government agencies that were impacted by a data security attack in the past six months.”

The organizations will review their networks for unauthorized activity and work to strengthen their controls, said University of Nebraska Medical Center Chancellor Dr. Jeffrey P. Gold.

As providers enter 2021, data security will remain top-of-mind as they are the most common targets for cyber criminals attacking the healthcare industry.

From January to October last year, 513 healthcare organizations reported a breach of 500-plus patient records to the Department of Health and Human Services. Of these reported breaches, 404 occurred among providers, affecting approximately 13.5 million patients.

The threat of cyber attacks targeting the healthcare industry is on the federal government’s radar as well.

Three federal agencies released a joint notice in October 2020 warning of a credible cybercrime threat to U.S. providers and asking the industry to remain vigilant.

Photo: anyaberkut, Getty Images