After 280K Patients Exposed in Data Breach, Oklahoma Hospital Shares What It Learned

^{Images have been cropped and resized. Courtesy of OSU-CHS.}

Nearly 280,000 Medicaid recipients are wondering whether they might fall prey to identify theft after hackers gained access to a computer network at Oklahoma State University Center for Health Sciences (OSU-CHS), according to the academic medical center. But officials there are using their misfortune to teach other healthcare institutions how to avoid becoming a victim.

OSU-CHS reported the data breach, which took place in November, to the Department of Health and Human Services earlier this month, labeling it a “hacking/[information technology incident] on a network server. The Tulsa institution followed up with a digital notice (warning: PDF) and subsequent letters to the 279,865 patients whose data were exposed, according to OSU-CHS.

Who was behind the infiltration? “We have no idea at all,” Anhna Vuong, the center’s vice president of external affairs, told Healthcare Analytics News™. “These guys operate in such a dark way. The feeling is that it’s international.”

The trouble came to light on November 7, when OSU-CHS found that an “unauthorized third party” had secured entry to folders containing patient billing information for Medicaid enrollees. The next day, the medical center “took immediate action” to scrub the folders and boot the intruders from the network, it said.

From there, OSU-CHS contracted a “leading forensics firm” to investigate what happened and which folders were affected, Vuong said. But the medical center later told patients that “the investigation could not rule out whether the third party explicitly accessed patient information.” They do not know whether hackers have used that personal data.

The investigation found that the folders could have included patient names, Medicaid numbers, healthcare provider names, appointment dates, “limited treatment information,” and just 1 social security number that was stored on the server, according to OSU-CHS. The cache did not contain any electronic medical records or banking information, it said.

It is rare for victims of data breaches, and especially hacks, to come forward to share what they have learned. Each month, HCA covers similar data breaches, both for breaking news and feature stories, and its requests for interviews with victims are almost always met with rejection or silence. OSU-CHS, however, decided to speak out.

“What we have learned from this is that you have to do daily penetration testing of your servers,” Vuong said, noting that this is now OSU-CHS policy. That means all computer servers in a given organization, she said, not just those on which a healthcare entity thinks information is stored. “You inadvertently might have health information stored on another server,” she added.

Another lesson: Keep up to date with the latest technologies, Vuong said. Hackers get around defenses quickly, as they constantly search for weak spots, meaning that healthcare organizations must not wait to install the latest—and most secure—software.

Given the growing threat to healthcare, other institutions and their patients could benefit from digesting these lessons now, before they must do so the hard way.

OSU-CHS set up a call center to answer patients’ questions (1-844-551-1727) and expects to send all letters by mid-February. Affected patients should be on the lookout for communications falsely claiming that they received certain medical services.

In the notice, the institution apologized for the breach and any harm it might cause patients. OSU-CHS has since established stronger data safeguards—and it has begun to understand what healthcare is up against.

“These guys are very sophisticated,” Vuong said of the hackers. “We have definitely learned our lesson.”