HIPAA/HITECH , Incident & Breach Response , Security Operations

Small Rural Alabama Hospital Reports Big 2023 Hacking Breach

Why Did it Take So Long to Notify Regulators and Affected Patients?
Small Rural Alabama Hospital Reports Big 2023 Hacking Breach
Medical Center Barbour in Alabama is notifying patients whose data was compromised in an October 2023 hack (Image: Medical Center Barbour)

A small rural Alabama hospital is notifying more than 61,000 patients that their sensitive information was potentially compromised in an October 2023 hacking incident. The hospital attributed the 10-month-long lag between discovery of the incident and notification to difficulties in identifying the individuals and the information affected in the hack.

See Also: Identity Security Trailblazers - Health First

Medical Center Barbour, a 74-bed acute care hospital in Eufaula, Alabama, reported the incident on Aug. 22 as affecting 61,014 individuals.

As of Monday, the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website did not yet show a report to federal regulators by Medical Center Barbour for the incident.

In a breach notice posted on its website Thursday, Medical Center Barbour said that on Oct. 29, 2023 it detected suspicious activity in its network environment.

The investigation, concluded on Dec. 8, 2023, determined that an unauthorized actor accessed certain files and data stored within the hospital's network. Medical Center Barbour said it then began an internal review of the data stored on the affected server at the time of the incident.

"After our own review, on May 21, MCB engaged a reputable data mining vendor, to assist in the time consuming and detailed reconstruction and review of the data stored on the server at the time of this incident to better understand whose information was affected."

On July 31, the data mining vendor identified individuals whose sensitive data was included within the compromised data.

The information potentially affected varies among individuals but may include name, date of birth, address, health insurance information, driver’s license and medical information. For a smaller subset of individuals, potentially compromised data include Social Security numbers, passport information, and financial information impacted.

Under the HIPAA breach reporting rule, regulated entities must notify affected individuals no later than 60 days upon discovery of a HIPAA breach, and report the incident to HHS' Office for Civil Rights within that same time frame when the breach affected 500 or more individuals.

If affected individuals have not all been identified for notification within the 60 day-timeframe, covered entities should post a substitute HIPAA breach notice on its public website.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.