Inova Health System based in Falls Church, VA is informing 12,331 patients that there has been a breach of some of their protected health information (PHI).
Law enforcement contacted Inova Health System on September 5, 2018 regarding a suspected breach of billing information. An investigation was launched and a leading computer forensics company was called in to provide assistance.
According to the investigation, an unauthorized person accessed the billing system in January 2017 and again between July and October 2017. The hacker used an Inova employee’s login credentials to access the system.
Inova also reported that the same individual accessed the paper billing records of a few patients in December 2016, which suggests the person responsible had access to Inova facilities. However, no information about the individual responsible for the breach has been disclosed by Inova.
The compromised information included patient names, addresses, dates of birth, Social Security numbers and medical record numbers. The treatment information of a limited number of patients was also potentially compromised.
Inova has now enhanced its security policies and procedures, implemented monitoring tools to detect unauthorized access, updated its password policies to improve password complexity, and has limited data transmission. Employees have received extra training on securing sensitive data, password security, and steps to take before leaving their workstations unattended.
Inova began sending breach notification letters by mail to patients affected by the breach on November 2. Inova has offered all patients impacted by the breach 12 months of credit monitoring and identity theft protection services free of charge.