So I had missed this item from the Journal Star on March 8th:
The Illinois Valley Podiatry Group, 3322 W. Willow Knolls Drive, has announced that it has became aware of unauthorized access to its computer records, believed to have taken place last year.
The names, addresses and Social Security numbers of patients may have been viewed, according to the medical office.
Law enforcement has been consulted with a cyber forensics firm assisting to make sure the intrusion is contained, the medical group noted.
While unsure what information has been accessed, Illinois Valley recommends that patients remain vigilant for incidents of fraud and identity theft.
[…]
I have yet to find any press release or substitute notice from the practice, but will update this if I find more. Of note, this incident was reported to HHS on March 8 as affecting 26,588 patients.
Not coincidentally, on March 8, Complete Family Foot Care in Nebraska also reported a hacking/IT incident involving EMR. Their incident was reported as affecting 5,883 patients.
Both reports appear to be linked to a common vendor, Bizmatics, Inc. Complete Family Foot Care’s notice explains:
Like many healthcare providers, our office employs the services of an independent contractor for the management and storage of electronic patient health records. We do so, in part, because doing so generally provides greater security for the information contained in those records. That information may include patient names, addresses, social security numbers, health insurance numbers, diagnoses, and treatments, but does not include credit card numbers or financial and payment information. Unfortunately, the independent contractor we employ, Bizmatics, Inc., was recently the victim of an unauthorized access to the servers containing those electronic health records. We believe that that unauthorized access occurred sometime in 2015. We were notified regarding the incident by letter in the first week of January, 2016.
Following that unauthorized access, Bizmatics immediately began working with law enforcement and data security experts to secure their servers and the information contained on them.
Because neither incident appears on HHS’s public breach tool as involving a business associate, the public tool entry might seem a bit misleading.
There does not appear to have been any public statement by Bizmatics so it is not known how many other of its clients were also impacted. DataBreaches.net has requested a statement from the firm and will provide updates as more information becomes available.
Update: NTV reports that employees at CHI Good Samaritan Hospital in Kearney, Nebraska have had their personal information stolen due to a third party vendor attack. This may also be Bizmatic, and DataBreaches.net has left a voicemail with the hospital asking them if they can confirm that. (Update: This was not a Bizmatics-related incident. It involved employee data.)
Just spent a few minutes googling info on this. Came across this which ironically notes that “92 percent of small-practice EHR [Electronic Health Record] users who switched to a cloud-based EHR from a server in the last six months feel their chances of a major patient record data breach are lowered….”
Yeah, that was last year. Before all the misconfigured mongoDB installations and other cloud-based incidents. A cloud server is just someone else’s server… no safer than your own.