A healthcare provider in Colorado, Vincent Vein Center, is the latest organization to notify the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) about a breach of protected health information stemming from a malicious hacker attacking Bizmatics’ data servers.
Bizmatics provides ambulatory software and electronic health records serving 15,000 healthcare providers.
According to the HHS OCR breach portal, Vincent Vein Center, based in Grand Junction, Colorado, filed the notification June 7 and the type of breach was labeled “hacking/IT incident” and the location as “electronic medical record.” According to the breach portal, 2,250 patients may be affected by the breach of PHI.
By researching the breach incidents filed to the OCR, it appears that data breaches affecting at least six healthcare providers stem from the Bizmatics data server hack, which, according to letters sent to Bizmatics clients, occurred in January 2015. According to the OCR breach portal, those breaches potentially impact the PHI of 149,776 individuals.
In a data breach notice posted on its website, Vincent Vein Center states that it uses an electronic health record and practice management tool called PrognoCIS that is owned and operated by a third-party vendor, Bizmatics. The website links to a letter from Bizmatics indicating that a malicious hacker attacked Bizmatics’ data servers, which resulted in unauthorized access to Bizmatics customers’ records.
In that letter, Bizmatics said it worked with law enforcement and engaged CrowdStrike, a cybersecurity firm, to investigate and determined that the cyber intruders “may have installed malware in January 2015 and, through credentialed theft, accessed certain systems in the Bizmatics environment. Bizmatics did not become aware of the intrusion until late 2015.”
In the letter, Bizmatics stated that the Vincent Vein Center patient records were stored on the affected systems and could potentially affect information such as patient names, addresses, social security numbers and health visit information. “However, Bizmatics and its cybersecurity experts were not able to determine whether your particular patient records were actually accessed or acquired by unauthorized persons.”
And, the letter stated, “Bizmatics takes data security very seriously, and has taken and is continuing to take steps to further strength its defenses against cyberattacks, including hardening even further its firewall and network configurations. Although no system can ever be 100 percent secure from unauthorized intrusion, Bizmatics is committed to ensuring its systems are secure as they can be in this environment.”
The largest breach so far appears to be Southeast Eye Institute, also known as Eye Associates of Pinellas, in Pinellas Park, Florida, that impacted the medical records of 87,317 patients and was posted on the OCR breach portal May 5. The Eye Associates of Pinellas posted a notice of “patient breach information” on its website that stated the provider has been using practice management software maintained by an off-site vendor, Bizmatics.
The notice further stated, “SE Eye like many medical practices utilizes the services of independent off-site vendors for some services. On March 30, 2016, Bizmatics notified us that it had suffered a data breach and “at least some” of our patient file information had been accessed by unauthorized individuals.”
According to the notice, the personal information that may have been accessed could include name, address, telephone number, social security number, date of birth, and insurance information. However, the notice states that no patient care/medical or credit card information was in the Bizmatics system.
The notice also states, “Bizmatics’ services to medical providers are covered by information security laws including HIPAA. Several other practices were also impacted by the breach. Bizmatics is unable to identify which patient files were accessed, therefore, we are unable to determine if your file was accessed. Bizmatics has advised us that it maintained information in segregated files to increase security. For example, names were kept separate from addresses. Bizmatics is unable to determine if the unauthorized persons are able to collate the various data files.”
And, the notice states that SE Eye is no longer using the Bizmatics practice management software.
According to the OCR breach portal, ENT and Allergy Center in Fayetteville, Arkansas experienced a breach affecting 16,200 people, which was posted June 1. On its website, ENT and Allergy Center posted a HIPAA privacy notification that states that the healthcare facility uses Bizmatics’ PrognoCIS electronic health record. The letter states, “Bizmatics’ PrognoCIS tool fell subject to the attack on Bizmatics’ data servers, and accordingly, Bizmatics notified us that we were one of its customers who may have had some of its records accessed by the criminal hacker. The PrognoCIS tool stores and organizes our patient files.”
And, the notice stated that Bizmatics notified ENT and Allergy in April that “at least some our electronic patient medical records were potentially accessed and obtained by unauthorized persons. The information contained in the records that may have been accessed included patient names, addresses, health visit information, and at least the last four digits of the patient’s Social Security number. “
Easton, Penn.-based Integrated Health Solutions also reported a data breach to OCR affecting 19,776 individuals, which was posted on May 25. That incident was labeled “hacking/IT incident” on “electronic medical record, network server.” According to a local newspaper, The Morning Call, Bizmatics notified Integrated Heath Solutions March 30 about unauthorized access to its medical records. The information may include name, address, social security number and health visit information.
There’s also California Health and Longevity Institute, based in Westlake Village, California, which submitted a breach report to OCR on May 25 stating that the PHI of 4,836 patient had potentially been compromised. That incident was listed as a hacking/IT incident on a network server. The provider notified patients through a public notice stating, "CA Health and Longevity Institute would like to alert patients that in 2015 cyber intruders may have accessed confidential patient information that was stored on an electronic health record system. The clinic uses an electronic health record database called PrognoCIS to store patient information. PrognoCIS was created and maintained by Bizmatics."
And, the Pain Treatment Centers of America (PTCOA) and Interventional Surgery Institute (ISI) based in Arkansas filed a breach report April 11 stating that 19,397 individuals were possibly affected by a hacking/IT incident on an electronic health record and network server. A HIPAA Security Notification letter posted on that healthcare provider’s website states that the healthcare provider uses the PrognoCIS EHR and practice management tool and was informed by Bizmatics that the medical records stored on the PrognoCIS tool may have been accessed due to the hacking incident on Bizmatics’ data servers.