Clinic discovers network breach that lasted 15 months

Chris Nerney
Chris Nerney, Contributing Writer |
Clinic discovers network breach that lasted 15 months

Cyber attacks on healthcare IT systems are headline-grabbing events that can lead to exposure of patient data, service disruptions, time-consuming recovery processes, and high costs in the form of paying a ransom or spending money on new servers, security systems, or consultants.

But that’s only when providers are aware their network and data has been breached. Perhaps even more chilling is the prospect that a system breach has gone undetected for months or even longer. Such was the experience of Peachtree Neurological Clinic (PNC), which discovered a 15-month breach as the Atlanta-based provider was investigating a recent ransomware attack.

In a notice to patients, Dr. Lawrence Seiden, a PNC managing partner, explained that the clinic was able restore its files and the functionality of its system through backup records in the wake of the ransomware attack.

“Subsequent scans of our system show no further sign of the ransomware,” Seiden wrote. “However, through our investigation of the incident, we discovered that our computer system previously had been accessed without our knowledge by unauthorized individuals not affiliated with PNC between February 2016 and May 2017.”

Seiden said the clinic was unable to determine which, if any, patient files or information were accessed during the 15-month-long breach, but noted that a patient’s “name, address, telephone number, social security number, date of birth, driver’s license number, treatment or procedure information, prescription information, and/or healthcare insurance information” could have been exposed.

"We take patient privacy seriously and are very sorry for any concern or inconvenience this incident has caused or may cause to anyone who has been affected," Seiden said. 

Uncovering a longstanding or ongoing healthcare system breach is not without precedent. Excellus Blue Cross Blue Shield divulged in August 2015 what Wired called “a nearly 2-year old intrusion campaign in its network that gave hackers access to potentially all its customers' records.”

Excellus said the breach may have begun as early as December 2013 and potentially affected more than 10 million patients.