The Chattanooga Heart Institute detected a cybersecurity breach on its IT network in April. Further research established that unauthorized outsiders had accessed the network and copied private patient information. As a result, 170,000 patients were impacted.
The Chattanooga Heart Institute discovered the hacking on April 17, protected its network, alerted federal criminal enforcement, and launched an emergency investigation with help from outside forensics. According to the final discovery, the third-party obtained protected data by accessing the network between March 8 and March 16, made public on May 31.
In a breach notice published on its website, the organization, which has three vascular surgeons and 27 cardiologists at four locations in Tennessee and one in Georgia, said a forensics investigation into the incident had revealed that an "unauthorized third party" had gained access to its network between March 8 and March 16 of the previous year.
"Upon discovering the unauthorized third-party access, The Chattanooga Heart Institute took quick action to protect its systems, contain the incident, begin an investigation and maintain continuity of care."- Clinic's Breach Notice
The attackers did not immediately access the practice's computerized medical record.
Information exposed in the attack included
- Patient or Guarantor Names
- Mailing Address
- Phone Number
- Date of Birth
- Driver's License Number
- Social Security Number
- Account Information
- Health Insurance Information
- Diagnosis and Condition Information
- Lab Results
- Other Clinical, Demographic, and Financial Information
In the following weeks, letters will be delivered to 170,000 patients whose data may have been compromised. These patients can also get free identity monitoring services from the Chattanooga Heart Institute.
According to the clinic, as each file is thoroughly reviewed, notification letters to anyone whose data may be affected will be delivered via U.S. mail.
- The Chattanooga Heart Institute. THE CHATTANOOGA HEART INSTITUTE NOTICE OF DATA SECURITY INCIDENT.
- DataBreaches. The Chattanooga Heart Institute to notify 170,450 about March "data security incident."
- Department of Health & Human Services. Karakurt Threat Profile.
- BankInfoSecurity. As Attacks on Healthcare Continue, Feds Warn of New Threats.