OrthoNebraska Hospital, based in Omaha, Nebraska, recently confirmed a data breach following an incident in which an unauthorized party gained access to an employee’s email account. As a result of the breach, sensitive patient information was compromised, including patients’ first and last names, gender, home address, phone number, date of birth, driver’s license number, national ID number, their usernames and passwords, their social security numbers, medical/diagnosis/treatment history, dates of service, lab test results, prescription information, names of providers, medical account numbers and insurance information. OrthoNebraska has not yet filed an official notice of infringement. Thus, it is currently unknown how many patients were affected by the recent data security incident.
If you have received a data breach notification, it is essential that you understand what is at risk and what you can do about it. To learn more about how to protect yourself from fraud or identity theft and what legal options are available to you following the OrthoNebraska Hospital data breach, please see our recent article on the subject. here.
What led to the OrthoNebraska Hospital data breach?
According to a notice posted on the company’s website, around December 7, 2021, OrthoNebraska learned that spam messages were being sent from what appeared to be a company email address. In response, OrthoNebraska secured the compromised email account, reset all company email account passwords, and brought in cybersecurity professionals to investigate the incident.
The company’s investigation confirmed that on December 1, 2021, “one or more unauthorized individuals gained access to the email account and, as a result, likely obtained information.” OrthoNebraska then performed a manual review of all compromised files to determine which patient data, if any, was affected. Although the hacked information varies depending on the individual, it may include your first and last name, gender, home address, phone number, date of birth, driver’s license number, national ID card number, names of and passwords, social security number, medical/diagnosis/treatment history, dates of service, lab test results, prescription information, provider name, medical account number, and insurance information.
In late June 2022, OrthoNebraska Hospital posted a breach notice on its website and began the process of sending data breach letters to all patients affected by the breach.
OrthoNebraska Hospital is an orthopedic specialty hospital located in Omaha, Nebraska. The hospital offers a range of orthopedic services, including imaging, physiotherapy, orthopedic emergency care, sports medicine, orthopedic surgery, and virtual care. OrthoNebraska operates seven locations across Omaha, as well as clinics in Council Bluffs, IA, Fairfax, MO, Norfolk, NE and Papillion, NE. OrthoNebraska employs approximately 400 people.
How serious are data breaches involving protected health information?
As a medical provider, it’s no surprise that OrthoNebraska’s breach compromised patients’ protected health information. Hackers and other cybercriminals have shown increased interest in targeting healthcare providers in recent months, in part because information obtained through such breaches can be extremely valuable.
Protected health information is data relating to a patient’s past, present, or future health status, the medical treatment they receive, or how they pay for their medical care. However, to be considered “protected” health information, the disclosed data must contain one or more identifiers that can be used to identify the patient; otherwise, it cannot be linked to a particular patient. Examples of identifiers, names, social security numbers and addresses, photographs and biometric data, such as fingerprints. Thus, when protected medical information ends up in the hands of a criminal, he can easily determine to whom it belongs.
While just having your health information in the hands of strangers is concerning enough, the real harm from a health data breach stems from what the hacker does with the data. While some hackers may attempt to use patient information to perform typical financial identity theft, the most profitable avenue for them is to sell the data to a third party seeking medical treatment that they do not. could not afford otherwise. The “fake patient” can buy a victim’s data from a hacker and then use their information to obtain expensive medical care.
While the initial harm of identity theft in healthcare is that the victim ends up footing the bill for the treatment they did not receive, the more serious risk is that the fake patient gives providers care of information about himself that is found in the victim’s medical file. Then, when the victim goes to the doctor or surgeon for their own treatment, providers may not have accurate information about the victim’s allergies, current medications, or medical history.
Healthcare data breaches are extremely serious and anyone who experiences such a breach should take all possible steps to reduce the risk of healthcare identity theft. Victims of a healthcare data breach who want to learn more about how to protect themselves and their rights to seek compensation from the company that leaked their data should contact a data breach attorney to get help.