Decatur County General Hospital Experiences Electronic Medical Record Security Incident – 24,000 Individuals May Have Been Impacted

Parsons, Tennessee-based Decatur County General Hospital, according to HealthIT, “experienced an EMR [Electronic Medical Record] security incident when unauthorized software was installed on the server the EMR vendor supports on the organization’s behalf.” reported that “the OCR data breach reporting tool states that 24,000 individuals may have been affected.”

The January 26, 2018 statement issued by Decatur County General Hospital reported that on November 27, 2017, the hospital

. . . received a security incident report from [its] EMR system vendor indicating that unauthorized software had been installed on the server the vendor supports on [the hospital’s] behalf. The unauthorized software was installed to generate digital currency, more commonly known as “cryptocurrency.” Following receipt of the incident report, [Decatur County General Hospital] began [its] own investigation into the incident. At this time, [the hospital’s] investigation continues, but [the hospital] believe[s] an unauthorized individual remotely accessed the server where the EMR system stores patient information to install the unauthorized software. The software was installed on the system at least as of September 22, 2017, and the EMR vendor replaced the server and operating about four days later.

Decatur County General Hospital’s statement also disclosed that the hospital does not

. . . have . . . evidence that [patient] information was actually acquired or viewed by an unauthorized individual, and based upon reports of similar incidents, [the hospital] do[es] not believe that [patient] health information was targeted by any unauthorized individual installing the software on the server. [The hospital’s] investigation to date, however, has been unable to reasonably verify that there was not unauthorized access of [patient] information. Information contained on the affected server included demographic information such as patient names, addresses, dates of birth, and Social Security numbers, clinical information such as diagnosis and treatment information, and other information such as insurance billing information. [Emphasis added]

HealthcareInfoSecurity reported that

[t]he hospital’s statement did not offer an explanation about why the EMR vendor apparently took more than two months to notify the hospital about the cryptocurrency mining discovery. And the hospital did not immediately respond to an Information Security Media Group’s request for additional information about the incident. [Emphasis added]

Decatur County General Hospital’s statement about the unauthorized software security incident can be viewed by clicking Decatur County General Hospital EMR Security Incident Announcement.

Kehoe Law Firm, P.C.