Health Information Management

Keyloggers, human error lead to breaches at hospitals in several states

HIM-HIPAA Insider, November 23, 2015

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

A series of recent breaches highlight the need for organizations to enforce encryption and take regular measures to detect and remove malicious software.

Keylogger intercepts Kentucky hospital’s data for three years
Owensboro Health Muhlenberg Community Hospital (OH Muhlenberg) in Greenville, Ky., reported a data breach affecting patients, staff, contractors, and anyone who may have used the hospital’s network between 2012 and July 2015. The Federal Bureau of Investigation (FBI) notified the hospital September 16 of suspicious activity involving third-party traffic on its network. OH Muhlenberg began an internal investigation and contracted a forensic IT firm. The investigation revealed that network devices were infected with a keystroke logger that may have been installed as early as January 2012. The keystroke logger captured data as it was entered onto infected computers and transmitted it to a third party.

Although there is no evidence that it was used inappropriately, the breach compromised provider information and patient health and financial information, including but not limited to:

  • Name
  • Address
  • Social Security number
  • Telephone number
  • Date of birth
  • Driver’s license/state ID number
  • Medical and health plan information (medical record number, health insurance number, diagnoses and treatment information, payment information)
  • Bank account information
  • Payment card information, including number and expiration date
  • Employment information
  • Credentialing information (Drug Enforcement Administration  number, National Provider Identifier, state licensure number)
  • Username and password information for accounts and websites accessed by hospital employees, contractors, and providers


OH Muhlenberg blocked the external unauthorized IP addresses and took steps to disable the malware, according to its statement. It continues to work with the FBI as part of the agency’s ongoing investigation into the incident and to improve security.

The Owensboro Health Group acquired OH Muhlenberg, formerly Muhlenberg Community Hospital, July 1. Although the start of the incident predates the acquisition, OH Muhlenberg accepted responsibility and took steps to ensure affected individuals can monitor and correct any misuse that results from the breach.

Patients, employees, and contractors, as well as providers who credentialed or re-credentialed, whose information was maintained or entered in the hospital’s network on or after January 2012 are being offered a free one-year enrollment in identity protection services. OH Muhlenberg urged anyone whose information may be affected to carefully review credit check reports, payment card statements, and explanation of benefits forms. It instructed employees, contractors, and providers to change all passwords for accounts they accessed from the hospital and other accounts which they use the same or a similar password for. OH Muhlenberg is operating a call center to field questions from affected individuals and created an FAQ page about the incident.

Second breach in as many months at North Carolina DHHS
The North Carolina Department of Health and Human Services (DHHS) experienced its second significant data breach of 2015 when a staff member sent an unencrypted email containing a spreadsheet with the PHI of 524 patients to the Ashe and Orange county health directors.
The most recent incident occurred September 14 but was not publicly reported until November 14, which means the department nearly missed the Breach Notification Rule requirement to report breaches within 60 days of discovery, according to the Winston-Salem Journal.

The spreadsheet contained the following patient information:

  • Name
  • Medicaid recipient identification number
  • Social Security number
  • Date of birth
  • Address
  • Gender
  • Ethnicity
  • Race
  • Insurance information and provider name


The North Carolina DHHS says that although it can’t determine that the email was not intercepted during transmission, it has no reason to believe the PHI was accessed by unauthorized individuals, the Winston-Salem Journal reported. The department mailed letters to affected individuals, although it did not confirm whether it offered patients credit monitoring services.

A similar incident involving 1,615 patients occurred August 19, according to WRAL. An employee sent an unencrypted email with a spreadsheet attached to the Granville County Health Department. The spreadsheet contained the names, Medicaid identification numbers, and provider names and ID numbers as well as other Medicaid-related information of North Carolina DHHS patients. The spreadsheet also listed Social Security numbers of two patients.

The North Carolina DHHS agreed to install software that would automatically prevent unencrypted emails from being sent after the August breach, but it had not done so in time to prevent the September breach. The August breach was reported to the Office for Civil Rights October 19, but the recent breach does not yet appear on OCR’s “Wall of Shame.”

Wrong address at UC Health
A mistyped email address resulted in a series of breaches affecting 1,064 patients at the University of Cincinnati Medical Center, UC Health announced November 14.

The emails included the following patient information:

  • Names
  • Dates of birth
  • Medical record numbers
  • Dates of service
  • Physician names
  • Diagnosis information


The facility learned of the problem September 16, but the breaches occurred in nine separate incidents dating back to August 2014. The emails were meant to be sent internally, but were mistakenly sent to an incorrect email address at a domain similar to UC Health’s when two letters in the address were transposed. Emails originating from UC Health are now blocked from being sent to the unauthorized domain.

“We have no knowledge that the information in the emails was used or mis-used in any way, but we have sent letters to the affected patients,” UC Health says in its statement.

UC Health is working with a forensic investigative firm. Affected patients will receive letters and a call center number is in in place for those seeking further assistance.



Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular