Recently, Taylor Regional Hospital reported a cyber security event resulting in the hospital’s phones and computer systems going down. Taylor Regional Hospital first reported the breach on January 24, 2021. As of February 1, the hospital was still experiencing outages across its phone and computer systems, as mentioned in a banner displayed across the home page of the Taylor Regional Hospital website.
Security breaches like this one can stem from a variety of cyberthreats. Certainly, it is possible that a hacker merely wanted to cause a disruption in the hospital’s operations. However, in many cases, when computer systems are taken offline by a hacker, it’s an indication of something more nefarious. Often, hackers who are able to bypass the security system will then attempt to remove patients’ protected health information from the affected servers. This may result in myriad potential problems for patients; for example, depending on the information on the servers, this may increase their risk of experiencing identity theft. Regardless, the thought of personal and health information being in the hands of an unknown party—let alone a possible criminal—is good reason to be concerned.
Importantly, Taylor Regional Hospital has not yet confirmed that the protected health information of any patient was compromised in the ongoing cybersecurity event. However, given the risks involved, those who believe their data may have been compromised as a result of the Taylor Regional Hospital data security incident should take the necessary precautions to keep their information secure. The data breach lawyers at Console & Associates, P.C. are closely following all developments and are prepared to investigate a possible class action lawsuit if evidence emerges that Taylor Regional Hospital neglected the duties it owed to patients.
Is Your Protected Health Information at Risk Due to the Taylor Regional Hospital Breach?
Patients have special rights under federal law when it comes to their protected health information (PHI), and covered entities, including healthcare providers, must take special care when they possess a patient’s PHI. According to the U.S. Department of Health and Human Services, “protected health information” is defined as “information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.”
This makes clear that protection is afforded to certain health-care-related information when it is paired with additional data that allows a viewer to determine the patient’s identity. Under the HIPAA Privacy Rule, there are 18 of these identifiers:
- Full Names or a last name with an initial;
- Any geographical identifier more specific than a state;
- Dates;
- Phone numbers;
- Fax numbers;
- Email addresses;
- Social Security numbers;
- Medical record numbers;
- Health insurance beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers;
- Device identifiers and serial numbers;
- Web Uniform Resource Locators (URLs);
- Internet Protocol (IP) addresses;
- Biometric identifiers, including fingerprints;
- Full-face images or other identifying photographs; and
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data.
If PHI has even one of these identifiers, it is protected under HIPAA and patients are entitled to additional protection. It is only when PHI is devoid of all identifiers that it is no longer considered “protected.”
While it remains to be seen if the recent Taylor Regional Hospital “cyber security incident” will turn into a data breach, the consumer privacy lawyers at Console & Associates, P.C. are staying on top of the incident and will announce any further developments.
