Breach Notification , Electronic Healthcare Records , Governance & Risk Management

Post-Merger Blues: Old EHR System Breached

Records System Hacked After Physician Practice Was Sold
Post-Merger Blues: Old EHR System Breached

A recent breach involving a legacy electronic health record system that a small specialty medical practice used before becoming part of a larger healthcare entity shows the potential security risks that can follow mergers and acquisitions.

See Also: Live Webinar | Improve Cloud Threat Detection and Response using the MITRE ATT&CK Framework

In a statement issued Jan. 21, Altamonte, Springs, Florida-based AdventHealth said that its security teams were alerted on Dec. 22, 2020, of a data breach targeting the electronic records system formerly used by Tampa Bay Breast Care Specialists before it became part of AdventHealth Medical Group.

AdventHealth has more than 50 hospitals and 1,200 care sites, including medical group specialty practices, in nine states. It did not immediately respond to an Information Security Media Group request for comment and additional details.

Tampa Bay Breast Care Specialists, which has two specialty physicians - also did not immediately respond to a request for comment.

The breach appears to have involved an “unauthorized third-party” accessing the practice’s legacy EHR database, a source familiar with the case tells ISMG.

Patient Data Exposed

In its statement, AdventHealth notes that a data forensics investigation into the incident confirmed patient information that may have been compromised includes name, date of birth, gender, marital status, email address, Social Security number, driver’s license information, billing information - including credit card information, medications lists and clinical documentation.

“This former system used by TBBCS was not currently being used in day-to-day operations of AdventHealth Medical Group,” the statement notes. “The security issue only impacts the former system used by TBBCS and does not impact current AdventHealth Medical Group records.”

In the wake of the incident, AdventHealth says it has taken the EHR system formerly used by TBBSC “completely offline” and is reviewing its policies and procedures for its specialists and staff at its Tampa surgical group.

Common Challenges

Keith Fricke, principal consultant at tw-Security, says healthcare organizations can face challenges when they have to keep a legacy system of an acquired entity online because the data has not been migrated to another system.

“The legacy system remains online in order to fulfill patient access requests to their medical information or perhaps is needed for billing or account reconciliation,” he says. “Often, a migration to a newer system is driven by the need to have new hardware or because the vendor is sunsetting support for the application. This means the legacy system no longer receives security patches, leaving them vulnerable to attack.”

When a healthcare organization makes an acquisition, it must assess how many legacy systems are involved and whether they have been patched or updated, Fricke says. “It also helps for the acquiring organization to know in advance how many of the legacy systems can be decommissioned - and how soon.”

Vendor M&A Risks

Other recent incidents have shown that vendors that undergo mergers or acquisition also can subsequently put healthcare data and systems at risk.

For instance, last November, in lawsuit filed by

Zoll sued Barracuda in the wake of an email server migration mishap that exposed the health data of more than 277,000 individuals, including patients who use Zoll’s emergency medical products such as wearable heart defibrillators.

Barracuda merged with a company that provided hosted services to Zoll prior to the breach.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.