Inova Health has been notifying patients of a breach that law enforcement first alerted them to on September 5.
According to a notice on the Northern Virginia – Washington, D.C. – metro area health system’s site:
On September 5, 2018, we were advised by law enforcement that some of our patient records may have been accessed by an unauthorized person. Upon learning this, we immediately began an investigation to determine how the access occurred and engaged a leading forensic firm to determine what happened and what information may have been accessed. Our investigation determined that the unauthorized person obtained the login credentials of an Inova employee and used those credentials to access our billing system in January 2017 and between July and October 2017. The individual also accessed a limited number of paper billing records in December of 2016. The individual accessed certain patients’ information, including patient names, addresses, dates of birth, medical record numbers, and Social Security numbers. For a small number of patients, treatment information also may have been accessed.
In response to the incident, and in addition to offering free credit monitoring and identity protection services, Inova writes that they deeply regret the incident and are
enhancing our security processes, have put in place additional monitoring tools, are retraining employees about password security and securing sensitive information before leaving their desks unattended, have updated our policies regarding password complexity and limitations on transmission of information, and we are reviewing our policies and procedures.
Hopefully they are also going to be imposing stricter and more frequent password reset policies, as if the bad actor could access the billing system in January 2017 as well as July – October of 2017, it tells us that the employee did not change their password during that time period and the system did not require the employee to change their password.
DataBreaches.net called and emailed Inova yesterday to request clarification on a few points, including the number of patients affected or notified, and how the unauthorized individual was able to access paper records in 2016 — were they an employee or was there some other way in which they gained access?
DataBreaches.net received a pro forma response about the incident that did not answer either of the questions above, despite a second request. If Inova does answer those questions, this post will be updated.
UPDATE 1: I heard back from Inova after publication of this post. It seems that the unauthorized individual is alleged to be a former independent contractor. According to Inova’s spokesperson, his last day with Inova was in November of 2017. Their spokesperson adds,
We cannot provide specific information about the individual responsible, except that we are working with law enforcement in their on-going investigation. Inova serves more than two million patients each year and only a small percentage of that patient population was affected. Inova values its relationship with our patients and understands the importance of protecting patients’ information.
So maybe their password reset policies were adequate but the contractor’s access made those policies and passwords ineffective as a defense.
UPDATE 2: The incident now appears on HHS’s breach tool as impacting 12,331 patients.
Inova’s notification to the Montana Attorney General’s Office appears below.
Inova-Health-System-Inova