Medical Center Barbour, a small rural hospital in Alabama, recently informed 61,014 patients that a data breach in October 2023 compromised their personal information.
What happened
On October 29, 2023, acute care hospital Medical Center Barbour, Alabama, discovered unusual activity on their network. The investigation was finalized on December 8, 2023, and determined that an unauthorized individual accessed files stored on the hospital's network.
On May 21, 2024, the hospital hired a data mining vendor to help identify the affected individuals. The vendor identified 61,014 individuals whose protected health information (PHI) was compromised.
Specifically, the information included their names, dates of birth, residences, health insurance details, Social Security numbers, passport information, and financial data.
Going deeper
Medical Center Barbour struggled to identify the affected individuals, and the specific data that was compromised, resulting in a ten-month notification delay.
However, the HIPAA breach notification rule mandates healthcare providers to notify affected individuals within 60 days of discovering a breach. Moreover, if more than 500 people are affected, the provider must notify the US Department of Health and Human Services' Office for Civil Rights within the same timeframe. If the affected individuals cannot be identified within 60 days, the provider must have a substitute HIPAA breach notice on their public website.
What was said
The Medical Center Barbour breach notice states, "After our own review, on May 21, MCB engaged a reputable data mining vendor to assist in the time-consuming and detailed reconstruction and review of the data stored on the server at the time of this incident to better understand whose information was affected.”
Why this matters
Smaller healthcare organizations, like Medical Center Barbour, often struggle with limited resources to effectively manage and respond to cyberattacks. As cybersecurity risks escalate, these organizations must enhance their breach detection and response systems to comply with HIPAA regulations and safeguard PHI.
Furthermore, delays in notifying affected individuals and federal agencies can lead to further complications and legal consequences for these smaller healthcare organizations.
Learn more: Preventing the spread of cybersecurity attacks in healthcare
FAQs
What is a data breach?
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
See also: How to respond to a data breach
What should individuals do if their data has been compromised?
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
What are the penalties for violating HIPAA regulations?
Civil penalties for HIPAA violations can include fines ranging from $100 to $50,000 per violation, with an annual maximum of $1.5 million per violation. Criminal penalties are applied when HIPAA violations are knowingly committed, with increased fines and imprisonment.
