Hospital operator reveals cyberattack on patient records

Hospital operator Community Health Systems said a cyberattack took information on around 4.5 million patients from its computer network earlier this year. The Franklin, Tennessee, company said Monday that no medical or credit card records were taken in the attack, which may have happened in April and June. But Community said the attack did bypass its security systems to take patient names, addresses, birth dates, and phone and Social Security numbers. The hospital operator said it believes the attack came from a group in China that used sophisticated malware and technology to get the information. Community Health has since removed the malware from its system and finalized "other remediation efforts" to prevent future attacks. Medical identity theft can threaten health as well as bank account A spokeswoman did not immediately respond to a request from The Associated Press seeking comment on the attacks. The information that was taken came from patients who were referred to or received care from doctors tied to the company over the past five years. Community Health Systems Inc. is notifying patients affected by the attack and offering them identity theft protection services. The company owns, leases or operates 206 hospitals in 29 states. The attack follows other high-profile data security problems that have hit retailers like the e-commerce site eBay and Target Corp. Last year, hackers stole from Target about 40 million debit and credit card numbers and personal information for 70 million people. Shares of Community Health climbed 38 cents to $51.38 late Monday morning, while broader trading indexes also rose less than 1 percent. Continue Reading

Patient records more valuable to hackers than credit card details, NHS boss reveals

Patient records are at risk from hackers because they are now more valuable than credit card details, NHS bosses have revealed. Former deputy chair of NHS Digital Sir Nick Partridge said that while there were systems in place to try and combat hacks, the value of personal data meant there was an increased risk. "Systems are there but there's a growing understanding that patient records are now much more valuable on the dark web than credit card ratings," he said. "They sell for more money so we can only expect this level of cyber attack to increase in a very fragmented NHS and it's going to be a growing challenge". Sir Nick said that NHS Digital, the health service's internal IT provider, had... To continue reading this article Start your free trial of Premium Access all Premium articles  Subscriber-only events  Cancel any time Free for 30 days then only £2 per week Try Premium Access one Premium article per week Register for free To continue reading this article log in to your Telegraph account. Or register now, it's free. Register Log in Registered customers can access one Premium article per week HALF-PRICE OFFER Unlimited access to exclusive stories. Half price for one year. Access all Premium articles Subscriber only events Cancel any time Free for 30 days, then just £1 per week Start free trial Enjoy a year of Amazon Prime, worth £79, with an annual subscription Continue Reading

UVa patient records exposed for 17 months in malware attack

The University of Virginia Health System on Tuesday said that an unauthorized party outside the university may have had access to the medical records of nearly 2,000 patients over a period of 17 months in 2015 and 2016. Investigations by the FBI and the university determined that a UVa doctor’s laptop and other devices were infected with malicious software that allowed the third party to see what the physician was viewing on the devices in real time. On Dec. 23, 2017, the health system learned that the third party may have been able to view the patient information from May 3, 2015 to Dec. 27, 2016. The university is notifying the 1,882 patients who may have been affected. During that time, the physician conducted UVa Health System business from his devices, which included accessing medical records and other documents containing patient information, the university said. The investigations could not rule out that the third party may have been able to see some patient information, including names, diagnoses, treatment information, addresses and dates of birth. Patients’ Social Security numbers and financial information were not viewable, according to a news release. The FBI told UVa that the third party has been arrested and did not take, use or share patients’ information in any way. But as a precaution, UVa mailed letters to the affected patients on Tuesday. Patients who have questions can call (866) 291-7429. To help prevent such incidents in the future, the UVa Health System has enhanced the security measures required to remotely access patient information. Continue Reading

UCSD among 12 nationwide to pilot Apple Inc. new medical records system

UC San Diego patients will be among the first in the nation to test an iPhone-based medical records access system now under development by Apple Inc.The Cupertino-based technology company announced Wednesday that it has selected a dozen health systems from coast to coast to pilot automatic synchronization of patient data, from test results to medications prescribed, within a health application that Apple has been including with every iPhone since 2014.For now, only those UC San Diego iPhone owners brave enough to load the new 11.3 “beta” version of iOS, the system software that runs all iPhones, will be able to try out the new medical records integration, which will appear as a “health records” section within the pre-existing Health app.UC San Diego Health, and many local health providers, already offer their own free apps that their patients can download and use to access many aspects of their electronic health records. It’s already possible for patients to make appointments, view results and even message back and forth with their doctors.But Apple’s project takes things one step further, embedding health records from different medical providers in one central location that is baked right into the bedrock system responsible for all of an iPhone’s main functions, from making phone calls and sending text messages to browsing the web and checking email.Dr. Christopher Longhurst, chief information officer at UC San Diego Health, said that deeper integration should not only make it quicker for patients to get to the information they want, but it should also open up new opportunities never before possible when data was stuck inside the organization’s health app.Deep integration, for example, could enable a smartphone to automatically remind its owner to start taking medications that were prescribed by their doctors. And, with a patient’s permission, apps written by other companies could use this data to, say, look for Continue Reading

Peace activist exploited cancer patient, records show

The Louisville activist who was sentenced in federal court Monday to 15 months in prison for cashing her dead husband’s Social Security checks pleaded guilty in 2012 to exploiting a cancer patient for whom she was a caretaker.Jan Arnow opened credit cards using the woman’s name and used her existing credit cards; she also wrote checks on her account for more than $12,000, according to a complaint.Assistant Commonwealth’s Attorney Jeff Cooke said the woman, Dr. Daryll Anderson, later died of the disease.  He said Arnow was an acquaintance of Anderson, who was a physician.Some of the credit card transactions were in Europe, the records show.In that case, Arnow entered an Alford plea in state court in which she contested her guilt but acknowledged there was enough evidence to convict her.She received a four-year sentence for wanton exploitation of an adult, identify theft, fraudulent use of a credit card and unlawful taking, but was placed in a diversion program for five years. She also paid about $12,000 in restitution, Cooke said.She contended that the money she obtained from Anderson was a loan and that she had permission to use her credit cards. ► ​READ MORE: Respected peace activist imprisoned for fraudCourt records show that  Anderson initially gave Arnow power of attorney when she went into hospice in 2010 but that Anderson revoked it the next year when she realized Arnow was running up debts in her name.Arnow's diversion was revoked when she was indicted last year on the federal charges and failed to report them to her probation officer. She is set to be resentenced at 8:30 Thursday by Jefferson Circuit Judge Mitch Perry. The charges against her would have been dismissed if she had completed diversion.Her lawyer, Jonathan Dyar, declined to comment.Arnow, who was director of the Center for Interfaith Relations, launched the Institute for the Prevention of Youth Violence and fought genocide Continue Reading

UCHealth nurse fired for viewing 800 patient records

A nurse at Poudre Valley Hospital has been fired for viewing patients' medical records out of personal curiosity.University of Colorado Health, which operates PVH and Medical Center of the Rockies in Loveland, is notifying about 800 patients that an employee inappropriately accessed their electronic medical records.The employee was able to see patients’ names, addresses, phone numbers, dates of birth, insurance information and a description of the care and treatment received during a visit. The nurse was not able to access Social Security numbers or other personal, financial information, spokesman Dan Weaver said.Fort Collins: 30 new hangars planned at Fort Collins-Loveland airportLetters have been mailed to all affected patients, who should receive the letters in the next few days.UCHealth discovered the action through a regular audit of employees to ensure strict compliance with health privacy regulations.A subsequent investigation discovered the nurse was viewing patients' charts out of personal curiosity even though the nurse was not providing direct care to the patients.LOVELAND: Attempted robbery reported at Loveland SubwayWeaver said in a statement that employees are receiving additional training to re-emphasize they can only view health records of patients for whom they are caring. All employees will continue to receive annual training on how to properly access health care information.Weaver said there have been no similar breaches of patients' records since UCHealth was created in 2011, merging Poudre Valley Health System with University of Colorado Health.Patients who have questions can call 844-470-1755 to talk with UCHealth's director of compliance and privacy. Continue Reading

VUMC starts ‘gigantic’ switch to Epic records system

Vanderbilt University Medical Center will move its electronic health records to a new software system designed by Epic Systems — a transition that will take about two years, require dozens of new jobs and possibly rental space to train employees.The transition will ultimately impact every patient who comes into a Vanderbilt affiliated facility, as well as every employee.The transition from design to implementation is akin to changing the engine of a jetliner in the middle of a flight, said Dr. Kevin Johnson, chair of biomedical informatics and chief informatics officer for VUMC. The cost was not released by Vanderbilt Friday.The goal is to have the new system operating in 2018. Epic, based in Verona, Wis., has managed VUMC's registration and outpatient billing since 1995.The timeline is reasonably ambitious for a system the size of VUMC, said attorney Andy Norwood, partner at Waller law firm.Changing a hospital’s electronic medical record and electronic health record system is "a very very big undertaking. It's not like going from Word to WordPerfect," Norwood said. "It’s in the 'gigantic' category."The health system created its current software system with McKesson, which decided to discontinue the system in 2018. That prompted VUMC to find another.VUMC wants to provide a seamless and more efficient system for patients and clinicians."The coolest thing we’re going to do with the new software is we’re going to have our patients experience one bill — we’re really committed to that," said Johnson.Johnson said the system will enable Vanderbilt to better connect with hospitals around the country and the world. Epic will allow Vanderbilt clinicians to electronically get patients' health records from other doctors and hospitals that use the Epic software.For patients an easy way to access medical records is the holy Continue Reading

Made-up hospital records found at several city-run facilities hide abuses

City officials discovered fictional records when probing whether Kings County Hospital staffers failed to protect an "at risk" patient who was raped there, the Daily News has learned. The latest incident took place three weeks ago - a year after the discovery of made-up records in the case of Esmin Green, the Brooklyn woman whose shameful death at Kings County was recorded on video. This time, the incident involves one patient raping another over the July 4 weekend in the new psych ward at Kings County. Green died on the old ward on June 18, 2008. Green's death became a national disgrace when video surfaced showing workers paying no attention as she lay dying on the floor. That contradicted records claiming Green was fine. After Green's death, the city's Health & Hospitals Corp. (HHC) implemented top-to-bottom reforms, including hiring more staff and opening a new ward. Sources familiar with the new investigation say the female patient was declared "at risk" when she arrived at the hospital. That means she was to be monitored all the time. The hospital also was aware the male patient had been involved in a previous sex assault in a prior admission to Kings County, the source said. Sources say before the rape, a hospital staffer found the male patient in the female patient's bedroom, although HHC officials say the man was found in the "women's unit" at the psych ward. The staffer kicked the male patient out, but sources say he didn't tell anyone about this at shift change. The woman reported the rape two days after it occurred. HHC says Kings County immediately notified police and began an investigation. The male patient was then arrested. That investigation revealed what appeared to be fictional entries made in hospital records identifying the supposed location of the female patient at specific times, sources said. Responding to questions from The News, HHC said the hospital's investigation "revealed that there was only one Continue Reading

Health records going high-tech, 28 hospitals to share electronic info

Doctors at a number of Bronx hospitals and health-care organizations will soon have instant access to the latest patient medical records when a new electronic medical information system has a trial launch later this month. The Bronx Regional Health Information Organization will start up with six hospitals and health-care institutions able to update and view electronic medical records of patients who sign on to participate. "You can deliver better care, more timely care, more complete care if you have better medical records," said Barbara Radin, executive director of the Bronx RHIO. An additional 22 borough hospitals, health centers, nursing homes and home health service organizations initially will only be able to view records, but eventually will also contribute medical records such as lab results and new prescriptions. The information system will allow doctors to access patient information if they have been treated or received tests and prescriptions at any of the other participating hospitals, clinics or nursing homes. The member health organizations and a grant from the New York State Department of Health are funding the nonprofit organization. The Bronx RHIO, part of a national push to create electronic medical record systems, aims to improve health care and save money by reducing medical errors, avoiding duplicate testing on patients and getting a clearer picture of disease rates in specific populations, as well as disparities in health care and treatment outcomes. Patient consent is required. The information is protected by security software and only accessible to authorized users. Every information request by a user will also be tracked. Verona Greenland, president of Morris Heights Health Center, praised the new system because many of its patients receive treatment from so many institutions. Radin of the Bronx RHIO agreed. "The way care is delivered nowadays, it doesn't always happen at one place with one doctor," she said. With the Continue Reading

NYC hospital worker charged with stealing patient info

A man who worked in the admissions department at a prestigious Manhattan hospital has been charged with stealing and selling information on nearly 50,000 patients. The former worker at New York-Presbyterian Hospital/Weill Cornell Medical Center was arrested Friday night, shortly after the hospital announced the security breach. He was arraigned Saturday at a federal court in Manhattan. Prosecutors said Dwight McPherson, 38, of Brooklyn, exploited his access to the hospital’s computer registration system to acquire lists of patient names, phone numbers and social security numbers over a two-year period. Authorities became aware that something was amiss when printouts of patient records were discovered in Atlanta, Ga. during an investigation by U.S. postal inspectors, according to a complaint filed by prosecutors Saturday. McPherson confessed to a role in the identity-theft scheme when he was interrogated by agents on Friday, an inspector said in the complaint. McPherson told agents that in 2006 he was approached by someone offered money in exchange for the names, addresses and other identifying information of male patients born between 1950 and 1970. The complaint said McPherson sold one batch of 1,000 records sometime this past December or January for $750. A second batch a short time later earned him $600, the agents said. Prosecutors didn’t reveal Saturday who was purchasing the data or why, but the court complaint said the buyers intended to use the information "in connection with illegal activity." McPherson didn’t address the charges during his brief court appearance and wouldn’t speak to reporters after he was released on bond. "He is a hard working, honest man," said his lawyer, Bob Walters. New York-Presbyterian suspended McPherson in February after being contacted by federal investigators. Hospital spokeswoman Myrna Manners said Friday evening that none of the stolen data contained private health information, and Continue Reading