Doc’s devices enabled unauthorized access to U-Virginia Health data
A laptop computer and other computing devices of a physician affiliated with the University of Virginia Health System allowed an unauthorized individual to see medical information that the physician was viewing on his devices.
The unauthorized access continued for about 18 months, and now, 1,882 patients are being notified and encouraged to review healthcare statements and call their insurer if there are charges for services they did not receive.
The intruder, whom the FBI has arrested, put malicious software on the physician’s computing devices. The degree to which information actually was viewed is not clear. During the period of the breach, the physician had been using three personal computers.
FBI staff who continue to investigating the incident learned that the individual did not take, use or share patient information, and advised the health system. The health system learned of the data breach from the FBI, which while investigating another breach often finds other organizations that also were victimized. On December 23, 2017, the health system determined that the unauthorized third-party may have been able to view patient information from May 3, 2015 to December 27, 2016.
Compromised protected health information included patient names, diagnoses, treatments, addresses and dates of birth. Social Security numbers and financial information were not accessed.
“We are sorry this happened and regret any inconvenience or concern this incident may cause our patients,” the university said in a privacy notice that was sent to affected individuals. “To help prevent something like this from happening in the future, we are enhancing security measures required to remotely access UVA Health System information.”
The organization is not offering protective services such as credit monitoring or identity theft protection as the most sensitive patient data was not compromised.