Computer virus collected data on 5,400 patients at Colorado hospital
The Valley View Hospital Association (VVH), which operates a small hospital in Gleenwood Springs, Colo., voluntarily disclosed that a virus had infected the hospital’s computers and captured data that included personal but not medical information on 5,400 patients.
In a statement, the hospital said that it found the virus on January 24 and immediately shut down its incoming and outgoing internet traffic to quarantine the virus. According to the hospital, a team of forensic information technology experts was then brought in. The team determined that infected computers had taken screen shots of what system users were doing between Sept. 11, 2013, and Jan. 23, 2014, and stored those images in a hidden file that someone from the outside could have accessed — although there was no evidence that anyone from the outside actually had looked at the pictures.
A recent Healthcare Information and Management Systems Society (HIMSS) survey of members found that most saw the biggest threat to patient data as coming from within their organizations through unauthorized accessing of records by staff and providers. However, as the Valley View Hospital story shows, outside hackers and viruses that are after financial data also pose a threat. At Valley View, the information collected by the computer virus included patient names, birth dates, social security numbers and credit card numbers.
Valley View did not share what the specific financial impact of the virus was, but it did say in its statement that it had employed outside experts to analyze and remove the virus, sent letters to all the patients affected, established a toll-free information hotline and offered a year of free credit monitoring to affected patients.
With records increasingly held in electronic form and more networked medical devices, the government has been getting involved in trying to get more healthcare systems and hospitals to wake up to external cyber security threats. Starting next month, the Health Information Trust Alliance (HITRUST) and the U.S. Department of Health and Human Services (HHS) will begin conducting free monthly briefings on current and probable cyber threats in the healthcare sector, as well as sharing what to do to defend against these threats.
In addition, HITRUST has set up an alert system to notify healthcare organizations of cyber threats targeted at the healthcare sector. To get the alerts or participate in the monthly online briefings, register at www.hitrustalliance.net/cyberupdates.