PHI of 1,882 UVa Patients Exposed Due to Malware Infection

A professional hacker accessed the healthcare records of about 1,900 patients of the University of Virginia Healthcare System by infecting the device used by a hospital physician with malware. For more than 19 months starting May 3, 2015 to December 27, 2016, the hacker viewed the healthcare records of 1,882 patients. Whenever the doctor would access the healthcare records, the hacker could view the names, addresses, dates of birth, diagnosis, and treatment details of patients in real time.

The hacker lost access to the protected health information of patients in late 2016, however UVa did not know about the breach for a year. The FBI informed UVa of the security breach on December 23, 2017, right after a investigating the hacker’s activities. Patients affected by the breach were informed by mail in Feburary 2018. UVa has since enforced several security controls to circumvent more incidents like this from happening.

The hacker responsible for the malware infection was Phillip R. Durachinsky of North Royalton, Ohio. He was likewise responsible for the Mac malware known as Fruitfly which he created over 13 years ago. In a period of 13 years he spied on businesses, schools, healthcare organizations, government offices and a police department. The malware gave him complete access to electronic devices. He could upload and download documents, record keystrokes and get screen shots by tapping into webcams.

In his latest case, there are other companies that were also impacted besides UVa. Durachinsky accessed sensitive information such as financial records, photographs, tax records, and internet search history. He similarly allegedly took photos using his victims’ webcams and kept notes of pertinent information. The FBI’s investigation still continues to know the range of Durachinsky’s illegal activities.

The FBI discovered that an IP address associated with the malware was used to open the hacker’s email account at Case Western Reserve University. That is what led to the arrest of Durachinsky. Proof of the magnitude of his activities was the more than 20 million pictures the FBI agents found on his devices.

Subsequent to his arrest, Durachinsky was charged in a 16-count indictment for various computer violations, which include the Computer Fraud and Abuse Act and Wiretap Act, plus aggregated identity theft and child pornography.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: