Malware causes EHR breach for small Tennessee hospital

Decatur County General Hospital, a 40-bed facility in Parsons, Tenn., is offering 24,000 patients one year of credit monitoring services after its electronic health record system was hacked.

The incident appears to be a ransomware attack, although the organization did not use that term in the notification letter it sent to patients.

“On November 27, 2017, we received a security incident report from our EHR system vendor indicating that unauthorized software had been installed on the server the vendor supports on our behalf,” the hospital explains. “The unauthorized software was installed to generate digital currency, more commonly known as ‘cryptocurrency,’ ” a digital currency such as bitcoin.

The hospital did not identify the vendor of its EHR system in the notification letter sent to patients. Its patient portal is generically branded, but indicates that the copyright for the technology belongs to CPSI.

Also See: New sophisticated ransomware carries a high price tag

Investigation of the attack continues but it is believed that an unauthorized individual remotely accessed the server where the EHR stores patient information to install the malware. The software was installed as early as Sept. 22.

Decatur County General Hospital-CROP.jpg

While noting there is no evidence that patient information was actually acquired or viewed, the hospital was unable to verify that there was no unauthorized access.

Compromised data included names, addresses, dates of birth, Social Security numbers, diagnoses and treatment information, and insurance billing information. The hospital urged patients to place a fraud alert on their credit files and explained the process in the notification letter.

Hospital personnel did not immediately respond to a request for additional information.

For reprint and licensing requests for this article, click here.