A surgical center affiliated with St. Peter’s Hospital has been hit by the second-largest computer breach of patient records in New York state since 2016.
On Friday, St. Peter’s Surgery & Endoscopy Center revealed that hackers potentially compromised medical records of about 135,000 patients earlier this year. The breach has been reported as required under law to the Office of Civil Rights at the U.S. Department of Health and Human Services.
Hackers from an “unknown and unauthorized third party” installed malware on computer servers for the center, located at 1375 Washington Ave., which was discovered Jan. 8, according to a statement from the center issued Friday.
A subsequent inquiry by the center was unable to determine whether any records had been copied or not. Patients were advised to check insurance statements for suspicious activity or “charges for services they did not receive,” according to a statement from the center. Letters have been mailed to patients affected by the breach.
Computer servers for the center that were compromised included patients’ names, dates of birth, addresses, dates of service, diagnosis codes, procedure codes, insurance information and, in some instances, Medicare information, which includes Social Security numbers. The servers did not contain credit card or banking information, according to the statement.
The breach did not compromise computer servers for St. Peter’s Hospital or Albany Gastroenterology Consultants, according to the statement.
“Out of an abundance of caution, we are offering individuals whose Medicare information was contained on the affected servers a complimentary one-year membership to fraud detection and identity theft protection tools,” the statement continued.
Security experts have warned that information in medical records, particularly Social Security numbers, can be used in identity theft.
This medical records break-in at the St. Peter’s center is the second largest in the state since 2016, exceeded only by an August 2016 breach of 3.4 million patient records from Albany-based Newkirk Products Inc.
Newkirk issues identification cards for health insurance plans including Blue Cross and Blue Shield of Kansas City, Blue Cross Blue Shield of North Carolina, HealthNow New York Inc., BlueCross BlueShield of Western New York, BlueShield of Northeastern New York, and Capital District Physicians’ Health Plan, Inc. (CDPHP).
The medical data breach at an Albany surgical center was second-largest in the state since 2016
Entity People Affected Date
Newkirk Products 3.4 million August 2016
St Peter’s Surgery & Endoscopy 135,000 January 2018
Emblem Health-GHI 81,122 November 2016
Elderplan Inc 22,000 August 2017
MetroPlus Health Plan 15,212 September 2017
Shop-Rite Supermarkets 12,172 November 2017
Pediatric Healthcare Solutions 6,932 June 2017
Centers Plan for Health Living 6,893 March 2016
Source: U.S. Department of Health and Human Services
Other recent medical records breaches in the Capital Region included data for some 4,600 patients at Catholic Charities of the Diocese of Albany in October 2017, and records of about 950 patients of MVP Health Care Inc. in April 2017, according to online records at the U.S. Department of Health and Human Services.
In August 2016, hackers compromised records for nearly 22,000 patients at the state Office of Mental Health. That data included names, addresses, dates of birth, telephone numbers, email addresses, and, in some cases, Social Security numbers, driver’s license or state identification numbers, and coded health-related information from interviews or questionnaires.
In a prepared statement, the St. Peter’s center said it was “implementing even more stringent information security standards, increasing staff training, and investigating the purchase of additional and more elaborate anti-fraud and virus protection software.”
The center is a joint venture established by AGC Associates LLC and St. Peter’s Hospital of the City of Albany, a corporation that dates to 1871, according to records from the state Department of State.
The center “has its own board and operating structure, separate and apart from the two members of the joint venture,” according to the statement.
Health companies have been viewed in recent years as lagging in computer security compared to financial institutions and retail operations. In 2014, the FBI issued a warning to health companies that stronger computer security would be needed to deter hacking.
In 2015, Anthem, the nation’s second-largest health insurance company, was hit by hackers who broke into a database storing information on 80 million people, including Social Security numbers.
Last fall, the company reached a class-action settlement with its customers that provided for a $115 million fund to cover potential losses or the cost of enhanced credit protection services to protect against potential identity theft.
Anthem serves its medical members through fourteen Blue Cross Blue Shield entities, as well as numerous non-Blue Cross Blue Shield entities, such as Amerigroup Corporation, CareMore Health Group, Inc., HealthLink, and UniCare.