PHI Captured, Stored on Hidden Site in Hospital IT System
Valley View Hospital in Glenwood Springs, Colo., on March 17 started notifying about 5,400 patients that their protected health information was found in an encrypted and hidden folder in a hospital information system.
Valley View Hospital in Glenwood Springs, Colo., on March 17 started notifying about 5,400 patients that their protected health information was found in an encrypted and hidden folder in a hospital information system.
A sophisticated outside virus collected and encrypted the information in the folder. Hospital personnel discovered the virus in January 2014 and contracted with an information technology forensic firm to investigate, according to a notice on Valley Views website.
The firm determined on January 23 that the virus captured screen shots of web pages and stored the images in the encrypted, hidden folder, which could have been accessed by an outside entity. The hospital has been unable to determine whether any data was accessed or transmitted elsewhere.
The hospital shut down incoming and outgoing Internet traffic and took steps to remove the virus. Two days later, the forensics firm reported the contents of the folder, which included patient names and may also have included Social Security numbers, addresses, dates of birth, credit card information, telephone numbers, admission dates, discharge dates and patient visit numbers.
Affected patients are being offered one year of free credit and identity protection services. A hospital spokesperson was not immediately available for additional comment.
A sophisticated outside virus collected and encrypted the information in the folder. Hospital personnel discovered the virus in January 2014 and contracted with an information technology forensic firm to investigate, according to a notice on Valley Views website.
The firm determined on January 23 that the virus captured screen shots of web pages and stored the images in the encrypted, hidden folder, which could have been accessed by an outside entity. The hospital has been unable to determine whether any data was accessed or transmitted elsewhere.
The hospital shut down incoming and outgoing Internet traffic and took steps to remove the virus. Two days later, the forensics firm reported the contents of the folder, which included patient names and may also have included Social Security numbers, addresses, dates of birth, credit card information, telephone numbers, admission dates, discharge dates and patient visit numbers.
Affected patients are being offered one year of free credit and identity protection services. A hospital spokesperson was not immediately available for additional comment.