OrthoNebraska Hospital, based in Omaha, Nebraska, recently confirmed a data breach following an incident in which an unauthorized party gained access to an employee’s email account. As a result of the breach, sensitive patient information was compromised, including patients’ first and last names, genders, home addresses, phone numbers, dates of birth, driver’s license numbers, state identification card numbers, usernames and passwords, Social Security numbers, medical history/diagnosis/treatment, dates of service, lab test results, prescription information, provider names, medical account numbers and insurance information. OrthoNebraska has not yet filed an official notice of the breach. Thus, it is currently unknown how many patients were affected by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the OrthoNebraska Hospital data breach, please see our recent piece on the topic here.
What Led to the OrthoNebraska Hospital Data Breach?
According to a notice posted on the company’s website, on around December 7, 2021, OrthoNebraska learned that spam messages were sent from what appeared to be a company email address. In response, OrthoNebraska secured the compromised email account, reset all company email account passwords, and enlisted the assistance of cybersecurity professionals to investigate the incident.
The company’s investigation confirmed that on December 1, 2021, “an unauthorized individual or individuals gained access to the email account and, as a result, likely obtained some information.” OrthoNebraska then engaged in a manual review of all compromised files to determine what, if any, patient data was affected. While the breached information varies depending on the individual, it may include your first and last name, gender, home address, phone number, date of birth, driver’s license number, state identification card number, usernames and passwords, Social Security number, medical history/diagnosis/treatment, dates of service, lab test results, prescription information, provider name, medical account number and insurance information.
Around the end of June 2022, OrthoNebraska Hospital posted notice of the breach on its website and began the process of sending out data breach letters to all patients who were affected by the breach.
OrthoNebraska Hospital is an orthopedic specialty hospital located in Omaha, Nebraska. The hospital provides a range of orthopedic services, including imaging, physical therapy, orthopedic urgent care, sports medicine, orthopedic surgery and virtual care. OrthoNebraska operates seven locations throughout Omaha, as well as clinics in Council Bluffs, IA, Fairfax, MO, Norfolk, NE and Papillion, NE. OrthoNebraska employs approximately 400 people.
How Serious Are Data Breaches Involving Protected Health Information?
As a medical provider, it is no surprise that the OrthoNebraska breach resulted in the protected health information of patients being compromised. Hackers and other cyber criminals have shown an increased interest in targeting healthcare providers in recent months, in part because the information obtained through these breaches can be incredibly valuable.
Protected health information is data that relates to a patient’s past, present or future health condition, the medical treatment they receive, or how they pay for their medical care. However, to be considered “protected” health information, the leaked data must contain one or more identifiers that can be used to identify the patient; otherwise, it cannot be linked to a particular patient. Examples of identifiers, names, Social Security numbers and addresses, photographs, and biometric data, such as fingerprints. Thus when protected health information ends up in the hands of a criminal, they can easily determine who it belongs to.
While simply having your health information in strangers’ hands is concerning enough, the real harm of a healthcare data breach stems from what the hacker does with the data. While some hackers may attempt to use patient information to conduct typical financial identity theft, the more profitable route is for them to sell the data to a third party who is looking to receive medical treatment they could not otherwise afford. The “pretend patient” can buy a victim’s data from a hacker and then use their information to obtain expensive medical care.
While the initial harm of healthcare identity theft is that the victim ends up footing the bill for treatment they didn’t receive, the more serious risk is that the fake patient gives medical providers information about themselves that ends up in the victim’s medical record. Then, when the victim goes to the doctor or surgeon for their own treatment, the providers may not have accurate information about the victim’s allergies, current medication, or medical history.
Healthcare data breaches are extremely serious, and anyone victimized in such a breach should take every possible step to reduce the risk of healthcare identity theft. Victims of a healthcare data breach who want to learn more about how to protect themselves and what their rights are to pursue a claim for compensation against the company that leaked their data should reach out to a data breach lawyer for assistance.
