DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Inova Health notifies patients after law enforcement alerts them to breach that began in 2016 [UPDATED]

Posted on November 8, 2018 by Dissent


Inova Health has been notifying patients of a breach that law enforcement first alerted them to on September 5.

According to a notice on the Northern Virginia – Washington, D.C. – metro area health system’s site:

On September 5, 2018, we were advised by law enforcement that some of our patient records may have been accessed by an unauthorized person. Upon learning this, we immediately began an investigation to determine how the access occurred and engaged a leading forensic firm to determine what happened and what information may have been accessed. Our investigation determined that the unauthorized person obtained the login credentials of an Inova employee and used those credentials to access our billing system in January 2017 and between July and October 2017. The individual also accessed a limited number of paper billing records in December of 2016. The individual accessed certain patients’ information, including patient names, addresses, dates of birth, medical record numbers, and Social Security numbers. For a small number of patients, treatment information also may have been accessed.

In response to the incident, and in addition to offering free credit monitoring and identity protection services, Inova writes that they deeply regret the incident and are

enhancing our security processes, have put in place additional monitoring tools, are retraining employees about password security and securing sensitive information before leaving their desks unattended, have updated our policies regarding password complexity and limitations on transmission of information, and we are reviewing our policies and procedures.

Hopefully they are also going to be imposing stricter and more frequent password reset policies, as if the bad actor could access the billing system in January 2017 as well as July – October of 2017, it tells us that the employee did not change their password during that time period and the system did not require the employee to change their password.

DataBreaches.net called and emailed Inova yesterday to request clarification on a few points, including the number of patients affected or notified, and how the unauthorized individual was able to access paper records in 2016 — were they an employee or was there some other way in which they gained access?

DataBreaches.net received a pro forma response about the incident that did not answer either of the questions above, despite a second request. If Inova does answer those questions, this post will be updated.

UPDATE 1:  I heard back from Inova after publication of this post. It seems that  the unauthorized individual is alleged to be a former independent contractor. According to Inova’s spokesperson, his last day with Inova was in November of 2017. Their spokesperson adds,

We cannot provide specific information about the individual responsible, except that we are working with law enforcement in their on-going investigation. Inova serves more than two million patients each year and only a small percentage of that patient population was affected. Inova values its relationship with our patients and understands the importance of protecting patients’ information.

So maybe their password reset policies were adequate but the contractor’s access made those policies and passwords ineffective as a defense.

UPDATE 2:  The incident now appears on HHS’s breach tool as impacting 12,331 patients.

Inova’s notification to the Montana Attorney General’s Office appears below.

Inova-Health-System-Inova

Related posts:

  • Victims of W-2 phishing scams (2017 list)
  • Health Data Breaches in 2017: The Year in Review
Category: Breach IncidentsHealth DataU.S.

Post navigation

← Sugar City recall petition delayed by county malware attack
Altus Baytown Hospital system hit by Dharma ransomware →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.