Decatur County General Hospital Data Breach (2017)

On November 27, 2017, we received a security incident report from our EMR system vendor indicating that unauthorized software had been installed on the server the vendor supports on our behalf. The unauthorized software was installed to generate digital currency, more commonly known as “cryptocurrency.” Although the hospital’s investigation is ongoing, they believe that an unauthorized individual accessed the server housing the EMR system to inject the software. The goal of the attack did not appear to be the acquisition or exfiltration of patients’ personally identifiable information or protected health information, and the hospital has no evidence that PII or PHI was acquired or viewed. But as is the case so often, they could not definitively prove that there was no access or viewing, and so, they must notify patients.  Information contained on the affected server included demographic information such as patient names, addresses, dates of birth, and Social Security numbers, clinical information such as diagnosis and treatment information, and other information such as insurance billing information.