Post-Merger Blues: Old EHR System BreachedRecords System Hacked After Physician Practice Was Sold
A recent breach involving a legacy electronic health record system that a small specialty medical practice used before becoming part of a larger healthcare entity shows the potential security risks that can follow mergers and acquisitions.
In a statement issued Jan. 21, Altamonte, Springs, Florida-based AdventHealth said that its security teams were alerted on Dec. 22, 2020, of a data breach targeting the electronic records system formerly used by Tampa Bay Breast Care Specialists before it became part of AdventHealth Medical Group.
AdventHealth has more than 50 hospitals and 1,200 care sites, including medical group specialty practices, in nine states. It did not immediately respond to an Information Security Media Group request for comment and additional details.
Tampa Bay Breast Care Specialists, which has two specialty physicians - also did not immediately respond to a request for comment.
The breach appears to have involved an “unauthorized third-party” accessing the practice’s legacy EHR database, a source familiar with the case tells ISMG.
Patient Data Exposed
In its statement, AdventHealth notes that a data forensics investigation into the incident confirmed patient information that may have been compromised includes name, date of birth, gender, marital status, email address, Social Security number, driver’s license information, billing information - including credit card information, medications lists and clinical documentation.
“This former system used by TBBCS was not currently being used in day-to-day operations of AdventHealth Medical Group,” the statement notes. “The security issue only impacts the former system used by TBBCS and does not impact current AdventHealth Medical Group records.”
In the wake of the incident, AdventHealth says it has taken the EHR system formerly used by TBBSC “completely offline” and is reviewing its policies and procedures for its specialists and staff at its Tampa surgical group.
Keith Fricke, principal consultant at tw-Security, says healthcare organizations can face challenges when they have to keep a legacy system of an acquired entity online because the data has not been migrated to another system.
“The legacy system remains online in order to fulfill patient access requests to their medical information or perhaps is needed for billing or account reconciliation,” he says. “Often, a migration to a newer system is driven by the need to have new hardware or because the vendor is sunsetting support for the application. This means the legacy system no longer receives security patches, leaving them vulnerable to attack.”
When a healthcare organization makes an acquisition, it must assess how many legacy systems are involved and whether they have been patched or updated, Fricke says. “It also helps for the acquiring organization to know in advance how many of the legacy systems can be decommissioned - and how soon.”
Vendor M&A Risks
Other recent incidents have shown that vendors that undergo mergers or acquisition also can subsequently put healthcare data and systems at risk.
For instance, last November, in lawsuit filed by
Zoll sued Barracuda in the wake of an email server migration mishap that exposed the health data of more than 277,000 individuals, including patients who use Zoll’s emergency medical products such as wearable heart defibrillators. Barracuda merged with a company that provided hosted services to Zoll prior to the breach.
Zoll sued Barracuda in the wake of an email server migration mishap that exposed the health data of more than 277,000 individuals, including patients who use Zoll’s emergency medical products such as wearable heart defibrillators.
Barracuda merged with a company that provided hosted services to Zoll prior to the breach.