UVA Health System Notifies 1,882 Patients About Potential Privacy Issue
University of Virginia Health System is notifying 1,882 patients that an unauthorized third party may have been able to view some of their private health information.
CHARLOTTESVILLE, Va. (WVIR) - The University of Virginia Health System is notifying patients of a cyberattack that gave a hacker access to over 1,800 medical records.
The FBI discovered that a physician's devices with the UVA Health System were infected with malware, which allowed the hacker to see what the employee was viewing.
"It was malicious software – malware - that this operator created and was actually able to infiltrate the devices of those individuals who were victims of his crime," said Regina Verde with the UVA Health System.
Verde explained, "The operator was able to view whatever was on the device of our physician. So we had to use some forensics to determine at which points our physicians was actively online so we could see which patients’ records might have been viewed,"
The UVA Health System says the suspect may have been able to view things like patients’ names, treatments, addresses and dates of birth.
"There were 1,882 patients that we are notifying," Verde said.
According to the FBI, the hacker may have been able to view patient information from May 2015 to December of 2016.
Authorities have arrested the hacker, and say that he did not share the information in any way.
"We regret that this happened. It was unfortunate and is kind of a sign of our times that these kinds of crimes can take place. We hold our patients’ information to be very, very valuable and we are taking every measure we can to prevent this from occurring in the future," Verde said.
The University of Virginia Health System mailed letters to the patients that could have been affected by the privacy issue. It says it will be enhancing security features when it comes to handling patient information.
The UVA Medical Center also says there were other parties and businesses that were also affected by this hacker.
The FBI is continuing to investigate the situation.
02/21/2018 Release from the University of Virginia Health System:
CHARLOTTESVILLE, Va., Feb. 21, 2018 – University of Virginia Health System is notifying 1,882 patients that an unauthorized third party may have been able to view some of their private health information on a UVA physician’s laptop computer and other devices.
On December 23, 2017, University of Virginia Health System learned that this third party may have been able to view patient information on these devices from May 3, 2015, to December 27, 2016.
UVA has been working with the Federal Bureau of Investigation in its investigation and conducted an internal investigation. The investigations determined that the UVA Health System physician’s devices were infected with malicious software that allowed the third party to see what the physician was viewing on his devices at the same time.
During this time period, the physician would conduct UVA Health System business from his devices, which included accessing medical records and other documents containing patient information. The investigations could not rule out that the third party may have been able to view some patient information, which may have included patients’ names, diagnoses, treatment information, addresses and dates of birth. Patients’ Social Security numbers and financial information were not viewable. UVA Health System continues to cooperate with the FBI in its investigation.
The FBI has advised UVA Health System that the third party has been arrested and did not take, use or share patients’ information in any way. But as a precaution, UVA Health System mailed letters to affected patients on February 21, 2018. UVA Health System is also providing a dedicated call center for affected patients. Patients with questions or who need more information can call 1.866.291.7429 between 9 a.m.-5 p.m. Eastern Time, Monday through Friday. More information can be found at the UVA Health System website. UVA Health System recommends that affected patients review statements they receive from their health insurance provider and to contact their insurer immediately if there are charges for services they did not receive.
UVA Health System apologizes for this incident and regrets any inconvenience or concern this causes our patients. To help prevent something like this from occurring in the future, UVA Health System has enhanced the security measures required to remotely access patient information.