Preferred Care Home Health Services found unusual activity within its email services in April. On Monday, it notified individuals that personal information may have been exposed during a data-security incident tied to that email activity.
Among the information hacked may have been names, dates of birth, contact information, and Social Security or driver’s license numbers, according to the in-home care provider. Private health insurance data, plus Medicare and Medicaid information may also have been compromised, in addition to sensitive medical information..
Although only information transmitted through email was affected, compromised accounts were subject to unauthorized access between Jan. 13 and April 27 of this year. Once the unusual activity was detected, the emails were secured and an internal investigation was launched.
The details of the investigation’s findings have been made known to current and past patients who may have had personal information hacked.
Naples, Florida-based Preferred Care offers an array of skilled nursing and rehab services, as well as other home health care and social services. It provides over 100,000 visits per year to patients in eight counties.
In addition to notifying patients of the data security incident, the agency also provided resources to help mitigate some of the risks that come with this sort of incident. Preferred Care has set up a toll-free service to answer questions that patients may have about the security breach and is offering identity protection services through risk consulting firm Kroll.
Though there is no evidence yet that the compromised information has been misused, Preferred Care has reported what happened to the FBI.
Preferred Care Home Health Services did not respond to a request for comment from Home Health Care News.
The Florida-based provider is just the latest home health agency to operate through a cyberattack. In 2018, a hacker group reportedly stole personal, medical and financial information from roughly 80,000 patients when they hacked the computer systems of CarePartners.
Universal Health Services experiences cyberattack
One of the largest health systems in the U.S., Universal Health Services (UHS), experienced a major computing outage on Sept. 27 that has been attributed to a significant ransomware attack, according to Wired.
King of Prussia, Pennsylvania-based UHS has more than 400 facilities across the United States, Puerto Rico and the United Kingdom. The attack occurred in the U.S. and affected its digital networks at locations around the country.
For now, the cyberattack has forced the health system to move to all-paper documentation. Patients have, in turn, faced facility reroutes and delayed test results, among other inconveniences, Wired reported.
“We are making steady progress and are confident that we will be able to get hospital networks restored and reconnected soon,” UHS officials said in a statement posted online. “Our major information systems such as the electronic medical record (EMR) were not directly impacted; we are focused on restoring connections to these systems. In the meantime, our facilities are using their established back-up processes including offline documentation methods.”
UHS announced in July that it was partnering with Moorestown, New Jersey-based home health giant Bayada on a new joint venture focused on the home. Bayada, however, was reportedly unaffected by the ransomware attack.
The health care industry is the top target for data breaches, according to Wipro’s State of Cybersecurity Report 2018. Over 40% of reported breaches were from the health care world in 2017.
Providers have routinely had to pay out ransoms of over $1 million to get their data unlocked when bad actors have hacked their systems in the past. As the use of telehealth and other remote technologies increases, cyber attacks have also been on the rise.
But it’s not easy for providers to always prevent hacks and nefarious online activity.
“If you are a target, unfortunately, they will hack you,” John Prost, the director of information technology at Mueller Prost, said this summer at the National Association for Home Care & Hospice (NAHC) 2020 Financial Management Conference.
What separates some health systems and agencies from others is the existing barriers in place to prevent hacking.
“What you need to do is take the measures to protect yourself and put as many hurdles in front of them as you can. Hopefully, they will get tired of trying to hack you and move on to somebody else,” Prost said.
Weak passwords and re-used passwords are one of the simplest ways to get hacked, which means strong passwords and good password management generally is one of the best ways to mitigate these risks. A password manager that can store encrypted passwords online and then two-factor authentication are ways to keep employees safe from online risks.
Educating workers on good online hygiene practices, just as agencies train employees on infection protocol and disinfection techniques, will need to become par for the course for agencies in the future.