Navicent Health, a part of Central Georgia Health System, has disclosed that it suffered a data breach as the result of a digital attack.
The second-largest hospital in Georgia and the only regional Level I Trauma Center, Navicent Health explains in a data breach notice that it learned of a digital attack involving some of its employees corporate email accounts in July 2018. The health organization responded by notifying law enforcement about the event and retaining a digital forensics firm to help determine what happened. This investigation revealed on 24 January 2019 that the security incident had affected some email accounts containing patients' personal information including their names, dates of birth, addresses, medical information, billing data and Social Security Numbers. A closer look by Navicent Health found no evidence of identity theft and no indication of whether a bad actor viewed patients' data. In response, the healthcare organization began notifying individuals whose information the incident exposed and providing them with a free subscription to to identity theft protection services. It made this decision out of a sense of responsibility to the digital security of its patients. As quoted in its data breach notice:
We take our responsibility to safeguard personal information seriously and apologize for any inconvenience or concern this incident might cause. We are committed to taking steps to help prevent something like this from happening again, including evaluating additional platforms for educating staff and reviewing technical controls.
Patients affected by the Navicent Health data breach should defend themselves against identity thieves by protecting their web accounts with strong passwords, enabling multi-factor authentication (MFA) where available and using a VPN. Additional tips can be found here. At the same time, healthcare organizations should ensure the security of their stored personal health information (PHI) by obtaining visibility over their IT environment, creating processes to maximize their implementation of security controls like file integrity monitoring and strengthening their HIPAA compliance. They'd also be wise to familiarize themselves with the most common ways by which digital attackers are targeting the healthcare industry.
