The large behavioral health service provider, Behavioral Health Network (BHN), suffered a malware attack affecting 129,571 patients. Details of the attack are discussed below.
Malware Attack: What Happened?
A malicious software attack occurs when hackers install malicious software on an organization’s systems without the organization’s knowledge. The purpose of a malware attack is to gain access to sensitive data, usually to exploit the organization for financial gain. The attack affecting BHN was discovered two days after it had been introduced into their network when staff were unable to access files.
BHN’s affected systems contained files on 129,571 patients. Protected Health Information (PHI) that may have been compromised includes patient names, dates of birth, Social Security numbers, addresses, medical/diagnosis/treatment information, and/or health insurance claim information.
Reporting and Preventing Future Malware Attack Incidents
Although it is unclear whether or not hackers stole or accessed any files containing PHI, BHN reported the incident to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), affected patients, and the media. Patients potentially affected by the malware incident have been offered free identity theft protection and credit monitoring services, as required by HIPAA.
To prevent malicious software problems from occurring in the future, BHN has agreed to:
- Implementing additional safeguards. HIPAA requires organizations working with PHI to implement administrative, physical, and technical safeguards. Safeguards are meant to ensure the confidentiality, integrity, and availability of PHI. Had BHN implemented adequate safeguards, they may not have suffered the malware attack.
- Reviewing their HIPAA policies and procedures. Policies and procedures create a framework for how an organization adheres to the HIPAA Security, Privacy, and Breach Notification Rules.
- Retraining employees on data security and privacy practices. Employee training ensures that employees are aware of potential risks and how to recognize them, making them less likely to fall victim to malware attacks.