Email breach affects Kentucky health center

September 20, 2012

Some healthcare agencies are experiencing the effects of cybercrime. Recently, a Kentucky-based health agency was the possible victim of a hacker attack, reminding organizations of the importance of complying with HIPAA.

According to Health Care IT, the Cabinet for Health and Family Services took measures after announcing a breach to an email account and notified 2,500 clients that their personal information might have been accessed by an unauthorized user.

How hacker gained access
In July, an employee of the Department for Community Based Services responded to a unsolicited email, who then recognized unwarranted activities and deactivated the account thirty minutes later. Gwenda Bond, the assistant communications director for the Cabinet, said the agency is "pretty confident" none of the data was accessed. However, there is a slight chance a cybercriminal could have collected confidential information during the brief time the hacker was granted access. The emails contained names, addresses and other ID codes from the National Youth Transition Database of people who are, or have been, in foster care.

"In all likelihood, the hacker intended to access the state government e-mail server to send spam e-mails and did not access or view client information," said Rodney Murphy, executive director of the Office of Administrative and Technology Services.

The Cabinet is taking precautions and notified the affected clients individually, which is required under the Health Insurance Portability and Accountability Act, also known as HIPAA. The act includes a security rule that deals specifically with electronic protected health information, and lays out safeguards that every health institution must comply with for patient data protection.

Breach could lead to fines
According to JD Supra, a law firm, if an agency ignores a data breach, it could be at risk of monetary penalties. The Massachusetts Eye and Ear Infirmary recently violated the HIPPA compliance rules, and incurred a $1.5 million penalty after the theft of an unencrypted laptop, Gov Info Security reported.

Agencies should institute the proper network security measures to prevent against data breaches and thefts, and to avoid being the subject of a HIPAA investigation. Experts urge decision makers to always use passwords and encryption, and to be aware of suspicious emails that require information to be filled out. Employees should also be trained on the procedures to follow if a hacker threatens the security of a system.

-McAfee Cloud Security