LifeBridge Health in Baltimore experienced a data breach which was mentioned in a press release on May 16, 2018 but the number of patients impacted was not indicated. It was discovered on March 28, 2018 that malware was installed on the server that hosted LifeBridge Health’s patient registration and billing systems and LifeBridge Potomac Professionals’ electronic medical record system.
A national computer forensics firm assisted in investigating the breach. It was established that access to the server first occurred on September 27, 2016 or 18 months ago. The server stored patients’ information including names, birth dates, addresses, clinical and treatment details, diagnoses, prescribed medications, insurance information and Social Security numbers of some patients. It was not disclosed by LifeBridge Health how the attackers gained access to the server, but in the breach notice, it was mentioned that the company enhanced its system and password security requirements.
There’s no evidence received by LifeBridge Health that indicate patients’ protected health information was misused. But as a safety precaution, the company offered free credit monitoring and identity theft protection services for one year to patients whose Social Security numbers were potentially compromised. In addition, patients were advised to monitor their billing statements and explanation of benefits statements to make sure no medical services not received by the patients were charged to them. In case of any discrepancies in the report, the patients must inform their insurance carriers immediately.
The LifeBridge Health data breach report has been submitted to the Department of Health and Human Services’ Office for Civil Rights. The PHI of 538,127 patients was impacted making this healthcare breach the second largest reported this year. Although this incident is smaller compared to the security breach at the California Department of Developmental Services (CDDS) in April, it is considered more serious. The breach at CDDS affected 582,174 patients but it was uncertain if PHI was actually viewed or accessed by the burglars. The electronic equipment stolen by the thieves were encrypted and no paperwork seemed to have been taken.