DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Inova Health notifies patients after law enforcement alerts them to breach that began in 2016 [UPDATED]

Posted on November 8, 2018 by Dissent


Inova Health has been notifying patients of a breach that law enforcement first alerted them to on September 5.

According to a notice on the Northern Virginia – Washington, D.C. – metro area health system’s site:

On September 5, 2018, we were advised by law enforcement that some of our patient records may have been accessed by an unauthorized person. Upon learning this, we immediately began an investigation to determine how the access occurred and engaged a leading forensic firm to determine what happened and what information may have been accessed. Our investigation determined that the unauthorized person obtained the login credentials of an Inova employee and used those credentials to access our billing system in January 2017 and between July and October 2017. The individual also accessed a limited number of paper billing records in December of 2016. The individual accessed certain patients’ information, including patient names, addresses, dates of birth, medical record numbers, and Social Security numbers. For a small number of patients, treatment information also may have been accessed.

In response to the incident, and in addition to offering free credit monitoring and identity protection services, Inova writes that they deeply regret the incident and are

enhancing our security processes, have put in place additional monitoring tools, are retraining employees about password security and securing sensitive information before leaving their desks unattended, have updated our policies regarding password complexity and limitations on transmission of information, and we are reviewing our policies and procedures.

Hopefully they are also going to be imposing stricter and more frequent password reset policies, as if the bad actor could access the billing system in January 2017 as well as July – October of 2017, it tells us that the employee did not change their password during that time period and the system did not require the employee to change their password.

DataBreaches.net called and emailed Inova yesterday to request clarification on a few points, including the number of patients affected or notified, and how the unauthorized individual was able to access paper records in 2016 — were they an employee or was there some other way in which they gained access?

DataBreaches.net received a pro forma response about the incident that did not answer either of the questions above, despite a second request. If Inova does answer those questions, this post will be updated.

UPDATE 1:  I heard back from Inova after publication of this post. It seems that  the unauthorized individual is alleged to be a former independent contractor. According to Inova’s spokesperson, his last day with Inova was in November of 2017. Their spokesperson adds,

We cannot provide specific information about the individual responsible, except that we are working with law enforcement in their on-going investigation. Inova serves more than two million patients each year and only a small percentage of that patient population was affected. Inova values its relationship with our patients and understands the importance of protecting patients’ information.

So maybe their password reset policies were adequate but the contractor’s access made those policies and passwords ineffective as a defense.

UPDATE 2:  The incident now appears on HHS’s breach tool as impacting 12,331 patients.

Inova’s notification to the Montana Attorney General’s Office appears below.

Inova-Health-System-Inova
Category: Breach IncidentsHealth DataU.S.

Post navigation

← Sugar City recall petition delayed by county malware attack
Altus Baytown Hospital system hit by Dharma ransomware →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • AMI Group – Travel & Tours notice of ransomware attack
  • Resource: Insider Threat reports
  • Za: Cyber extortionist sentenced to eight years in jail
  • ICE takes steps to deport the Australian hacker known as “DR32”
  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.