42,000 Patients Impacted by 16-Month Malware Attack on Florida Pulmonary & Sleep Medicine Center

The AdventHealth Medical Group Pulmonary & Sleep Medicine in Tavares, Florida, previously called Lake Pulmonary Critical Care, has discovered hackers have accessed its systems and potentially viewed or acquired the protected health information (PHI) of approximately 42,161 patients.

The attack on Pulmonary & Sleep Medicine Center happened in August 2017 and resulted in the installation of malware. The malware infection was identified on December 27, 2018. It is currently uncertain how the malware was installed.

An investigation was conducted to find out the magnitude of the breach and the patients whose PHI had potentially been accessed. The investigation revealed the hackers had accessed parts of the center’s system that contained patients’ PHI. The PHI that may have been accessed included patients’ names, email addresses, addresses, phone numbers, birth dates, medical histories, health insurance details, Social Security numbers, and details of race, gender, height, and weight.

Following the detection and removal of the malware, AdventHealth implemented additional security controls to prevent cyberattacks from succeeding in the future and system audits will be conducted more frequently in the future.

On January 25, 2019, AdventHealth began mailing breach notification letters to the patients whose PHI was compromised. The center has offered all affected patients complimentary credit monitoring and identity theft restoration services from Kroll for one year. Patients have been advised to review their explanation of benefits statements from their insurance companies for any indications of misuse of their insurance details.