Virus May Have Caused Unusual BreachBeth Israel Deaconess Notifying 2,000
The hospital reports in a website statement that a computer service vendor, which it declined to identify, recently failed to restore proper security controls on a computer after performing maintenance on it. The device, which was located in a locked room, was later found to be infected with the virus.
John Halamka, the hospital's CIO, told PHIPrivacy.net that the virus encrypted the data that it transmitted. "The reason we are reporting it is that we are not sure that a breach occurred, but because a virus sent some data from the radiology device to some location, we wanted to be very conservative and report a possible breach."
The computer did not contain patient's Social Security numbers or financial information. It did, however, contain patient names, medical records numbers, birth dates and the names and dates of radiology procedures that patients had undergone.
The hospital is offering affected patients one year's worth of free identity protection service.
Beth Israel Deaconess "shut down the computer immediately upon learning that it was infected with a computer virus," Halamka said in the website statement. "The computer was cleaned and all software re-installed to ensure the virus was no longer present. Updated security controls were also installed and activated to prevent viruses from being installed."
Halamka also said Beth Israel Deaconess "worked closely with its vendor representative to ensure that an incident such as this does not re-occur."
Under the HITECH Act breach notification rule, breaches must be reported to the individuals affected as well as the Department of Health and Human Services' Office for Civil Rights.