h1

Hacker breaches UH optometry clinic database

June 9, 2012

Officials at the University of Houston (UH) College of Optometry are working with local law enforcement and the Federal Bureau of Investigation (FBI) to identify a hacker who apparently breached the security of a computer at one of the college’s neighborhood eye clinics on Feb. 23 and deleted the records of 7,000 patients.

Staff at the La Nueva Casa de Amigos Eye Clinic, just north of downtown Houston, are now at work restoring the 7,000 deleted records and say, as of yet, there is no evidence the patient information has been used for illicit purposes, such as insurance fraud.

“The University of Houston and the College of Optometry take privacy issues regarding health information and other personal data very seriously and are engaged in a careful review of this matter,” the university said in officially announcing the breach on its website April 24. “The university is not aware of any wrongful use of the information, and there is no evidence that the patient records were in fact viewed or copied.”

The breach was limited to a single computer. No other clinic or university systems were affected. The hacker attacked the computer from outside the United States, according to TheDailyCougar.com, the university’s online campus newspaper. University officials say that, in line with federal regulations governing the security of electronically maintained patient information, they have notified all 7,000 individuals whose records were lost in the incident. The records included health information, contact information and other personal information, but do not include social security, credit card or driver’s license numbers, according to the university. However, university officials are encouraging patients affected by the breach to take steps to protect themselves from identity theft.

UH information technology personnel implemented immediate network and system configuration changes in response to the incident, according to the university. The UH utilizes a sophisticated array of security systems to protect its campus databases, according to Mary Dickerson, chief information security officer for UH and the UH system. However, because the clinic is outside the university campus, some, but not all, of those systems were used on the clinic’s computer.

University officials delayed publicly announcing the security breach until an investigation could accurately determine the extent of the data compromised and the required patient notification process was undertaken.

Entities covered by the federal Health Insurance Portability and Accountability Act (HIPAA) must report any improper access to data that is considered “protected health information (PHI)” under the act, to affected patients, and in the case of a security breach involving more than 500 patients, to the U.S. Department of Health & Human Service’s (HHS) Office for Civil Rights (OCR) and the news media. Health care entities are also required to annually report a summary of all security breaches, of any size, to the HHS. The Federal Trade Commission has companion requirements that apply to entities not covered by HIPAA. Reporting of security breaches is not required if the electronic data is considered to be “secured” under the HHS regulations. That is generally understood to mean data that is encrypted, according to the AOA Advocacy Group.

The UH took the additional step of establishing a toll-free telephone line through which affected patients can obtain information regarding the security breach.

Additional information on the federal requirements for the reporting of security breaches in health care practices is available on the HHS Office for Civil Rights website (www.hhs.gov/ocr/privacy).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: