Ohio-based MetroHealth is notifying nearly 1,000 patients that three computers in its Cardiac Cath Lab were infected with malware, and the affected computers contained their personal information.
How many victims? 981.
What type of personal information? Names, dates of service, dates of birth, heights, weights, medications administered during procedures, medical record numbers, case numbers related to procedures, and cardiac catheterization raw data such as tracings of EKG and oxygen saturation.
What happened? Three computers in the MetroHealth Cardiac Cath Lab, which contained the personal information, were discovered to be infected with malware.
What was the response? The malware was removed, as was a backdoor that was created to enable subsequent access to the affected computers. MetroHealth has increased monitoring for malware, added antivirus update reviews, revised its incident response plan, and revised its Cath Lab software update procedures. All impacted individuals are being notified.
Details: On March 17, MetroHealth discovered malware on three computers in its Cardiac Cath Lab. The computers are believed to have been infected between July 14, 2014, and July 19, 2014, during which time a MetroHealth business associate disabled antivirus protection while updating software systems used on the computers. The malware was removed on March 18, and a backdoor created by the malware to enable subsequent access to the computers was purged on March 21. The computers stored data on patients who had cardiac catheterizations from July 14, 2014, to March 21.
Quote: “While unlikely, it is possible that this unauthorized access could lead to a compromise of some patient information,” according to a media notification emailed to SCMagazine.com on Monday. “MetroHealth has no indications that the information has been accessed or used by any unauthorized individual.”
Source: A media notification emailed to SCMagazine.com on Monday.