EHR Vendor Reports Breach of PHI of Nearly 320,000 Patients

The protected health information of almost 320,000 patients has potentially been compromised in an August 2021 cyberattack on the Tennessee-based healthcare technology services company QRS Inc.

QRS provides software solutions for healthcare organizations, including the Paradigm practice management and electronic health records (EHR) system. QRS said it detected unauthorized activity on a server on August 26, 2021, with the subsequent investigation confirming the hacker gained access to a single server on August 23, 2021.

Through that server, the hacker gained access to the electronic patient portal used by some of its healthcare provider clients. While no evidence has been found that indicates the hacker exfiltrated patient data from the server and no reports of identity theft or fraud have been received in response to the breach, unauthorized data access and theft could not be ruled out.

Through the compromised server the hacker potentially accessed and exfiltrated files containing the following information: name, address, date of birth, Social Security number, patient identification number, medical treatment, and diagnosis information, and portal usernames.

QRS said the server was immediately taken offline when the unauthorized activity was detected, and a third-party cybersecurity firm was engaged to investigate the breach. The investigation confirmed the hacker only had access to a single server, and no other QRS systems nor those of its healthcare provider clients were compromised. Steps are now being taken to improve security to prevent further breaches in the future.

QRS said it started sending notification letters to all affected individuals on October 22, 2021. Any individual who had their Social Security number exposed can sign up for complimentary identity theft protection services.

The data breach has been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting up to 319,778 individuals.