Hackers Hit Health System's Server

St. Joseph Health System Describes Details, Response

By , February 6, 2014.
Hackers Hit Health System's Server

A three-day hacker attack in December against an onsite server at St. Joseph Health System in Bryan, Texas, exposed information on about 405,000 individuals.

See Also: CISO Agenda 2015: Adding Value to a Security Program with Application Security

If details of the breach are confirmed by the Department of Health and Human Services' Office for Civil Rights, the incident would be the third largest hacking incident posted on HHS' "wall of shame" website listing breaches affecting 500 or more individuals since September 2009.

Major hacking attacks have been relatively rare in healthcare, with only 62 such attacks among the more than 800 breaches on the HHS tally. The largest was a 2012 incident at the Utah Department of Health, which affected 780,000 individuals.

For the most part, healthcare organizations have not been among the most common targets for the hacking community, says Brian Evans, a principal security and privacy consultant at Tom Walsh Consulting. "However, evidence suggests that many organizations just aren't that good at detecting incidents involving confidential information," he says. "I believe the primary reason hacking attacks are less common in healthcare is that many organizations are not mature enough to realize they have been hacked."

Breach Details

St. Joseph, a not-for-profit, Catholic integrated delivery system, revealed on Feb. 4 that during a 48-hour period spanning Dec. 16-18, 2013, the organization experienced a data security attack, in which unknown parties gained unauthorized access to a single server containing patient and employee files.

Tim Ottinger, the healthcare provider's vice president of advocacy and governmental affairs, tells Information Security Media Group that a forensics examination has determined that the unauthorized parties operated from IP addresses in China and elsewhere. The hackers accessed an onsite server that contained patient and employee data for several St. Joseph facilities in Texas.

Those facilities included St. Joseph Regional Health Center, Burleson; St. Joseph Center, Madison; St. Joseph Health Center, Grimes; and St. Joseph Health Center and St. Joseph Rehabilitation Center, both in Bryan.

Ottinger would not discuss how the attack was detected, but he says the organization took the affected server offline as soon as the incident was discovered and launched an investigation.

Measures Taken

In the aftermath of the incident, St. Joseph has implemented "eight to 10 new processes and security measures, and we will be looking at putting into place additional ones" to safeguard data against potential security incidents in the future, Ottinger says. He declined to disclose details.

St. Joseph notified law enforcement, including the FBI, and other government regulatory bodies, including the Federal Trade Commission and HHS, about the incident, he says.

So far, the forensics investigation has not found any indication that any data was removed from the affected server, Ottinger says. Nonetheless, each affected individual is being offered one year of free credit monitoring, he says.

Individuals affected by the breach include about 2,000 current and former employees and their beneficiaries, whose impacted data may have included bank routing information, names, addresses, dates of birth, and Social Security numbers, he says.

Of the patients affected, data compromised by the breach may include names, addresses, dates of birth, Social Security numbers and some medical information, he says. The medical data exposed did not include patients' full medical records, but narrower information, such as registration information related to medical lab tests, Ottinger says.

Other Hacking Incidents

The HHS "wall of shame" website lists just two hacking incidents with more individuals affected than in the St. Joseph Health System breach.

Authorities believe the largest incident, which occurred March 10 to April 2, 2012 at the Utah Department of Health, involved East European hackers accessing a state server.

The second largest hacking incident listed on the HHS tally involved the Puerto Rico Department of Health and affected 475,000 individuals. That incident occurred in October 2008, before the HIPAA breach notification rule coming took effect.

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Employing Technology to Ensure Privacy

Automating the process of excising personally identifiable information when sharing data is a...

Latest Tweets and Mentions

ARTICLE Employing Technology to Ensure Privacy

Automating the process of excising personally identifiable information when sharing data is a...

The ISMG Network