Westminster Ingleside King Farm Presbyterian Retirement Communities had a malware infection potentially giving the attackers access to protected health information of its residents. The living facility’s systems had security solutions in place that prevent unauthorized access, but they were not successful in blocking the malware attack.
The DC assisted living facility discovered the malware attack on November 21, 2017. Through rapid action of identifying and removing the malicious code, they were successful in removing the malware. However, third party experts came to assist them in finding out how the attackers bypassed the system’s security defenses and to know if the hackers accessed the residents’ protected health information.
The result of the investigation showed several areas that need security improvement to protect the system from future attacks. Ingleside implemented a better firewall, updated the antivirus and anti-malware software, and implemented a two-factor authentication on user accounts. They have issued new user credentials and set stronger passwords. Additional training provided employees the know-how needed to identify unauthorized access.
There was no evidence found that suggests the residents’ PHI was accessed. But it cannot be 100% certain that there was no data access or theft. Hence, all residents impacted by the breach were notified. They were also offered free 12-month credit monitoring and identity theft protection services via Kroll.
The potentially compromised PHI includes names, Social Security numbers, addresses and other health information. But there was no financial information compromised due to the malware infection. Ingleside submitted a breach notice to the Department of Health and Human Services’ Office for Civil Rights indicating that the security breach potentially impacted 5,228 residents.