logo
ENع
#

Latest news with #medicalrecords

Ascension healthcare data breach exposes 430,000 patient records
Ascension healthcare data breach exposes 430,000 patient records

Fox News

time20-05-2025

  • Health
  • Fox News

Ascension healthcare data breach exposes 430,000 patient records

The state of cybersecurity in the healthcare industry worries me a lot. Healthcare organizations, whether nonprofit or for-profit, collect an enormous amount of data. And it's not just phone numbers, addresses or emails but also sensitive information like medical records, insurance details and more. This data is extremely valuable, which makes it a prime target for hackers. What's worse is that many healthcare institutions often neglect cybersecurity and treat it as an afterthought. In 2024 alone, an industry tracker recorded 1,160 healthcare breaches that exposed 305 million patient records. This marked a 26% increase compared to the previous year. Against this backdrop, Ascension, a Missouri-based Catholic health system with 142 hospitals and 142,000 employees, recently disclosed that a December 2024 breach exposed the personal and medical information of more than 430,000 patients. According to Ascension's breach notification letters, the compromise began on Dec. 5, 2024, when the network learned patient data "may have been involved in a potential security incident." By Jan. 21, 2025, its investigators had determined that Ascension had "inadvertently disclosed information to a former business partner," and that attackers likely stole data from that partner via a flaw in its software. In other words, patient records passed from Ascension into a third party's system and were then siphoned off by cybercriminals. The attackers gained a broad array of information. Impacted patients' demographic and financial details, names, mailing addresses, phone numbers, email addresses, dates of birth, race, gender and Social Security numbers were exposed. Even more worryingly, the breach included clinical data from hospital stays, including physician names, admission and discharge dates, diagnosis and procedure codes, medical record numbers and insurance details. This is the very data that criminals can exploit for fraud or identity theft. Ascension reported the breach to regulators via an HHS filing on April 28, 2025, which shows 437,329 patients affected. By comparison, the company had earlier disclosed the impact in state filings. For example, 114,692 Texas patients and 96 Massachusetts residents were individually notified of exposure. In response, Ascension is offering those affected two years of free identity monitoring services (credit monitoring, fraud consultation and identity theft restoration). For scale, Ascension is a major nonprofit health system, one of the largest in the U.S., operating 142 hospitals across North America. The company has not named the third-party partner, but its description fits a vendor whose secure file-transfer software was breached. The timing aligns with a series of recent Cl0p ransomware attacks. Cl0p has publicly claimed responsibility for exploiting a zero-day flaw in Cleo's secure file-transfer products, stealing data from dozens of organizations worldwide. While Ascension itself was not directly hit by ransomware, its data might have ended up in that same attack campaign. Ascension's patients and employees are no strangers to data breaches. In May 2024, a Black Basta ransomware attack compromised Ascension's own network. That incident, traced back to a single employee opening a malicious file, resulted in the exfiltration of data belonging to nearly 5.6 million people. The fallout was severe. Hospitals lost access to digital records, forcing clinicians to record vitals, medications and orders on paper. Elective procedures and some appointments were paused, and emergency services were redirected to unaffected facilities to avoid delays in care. We reached out to Ascension for a comment on our article but did not hear back before our deadline. If you think you were affected or just want to be cautious, here are some steps you can take right now to stay safe from the Ascension data breach. 1) Watch out for phishing scams and use strong antivirus software: With access to your email, phone number or identification documents, Ascension attackers can craft convincing phishing emails pretending to be from healthcare providers or banks. These emails might include malicious links designed to install malware or steal login information. To defend yourself, use a strong antivirus program. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices. 2) Scrub your data from the internet using a personal data removal service: The more exposed your personal information is online, the easier it is for scammers to use it against you. Following the Ascension breach, consider removing your information from public databases and people-search sites. While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren't cheap and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It's what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you. Check out my top picks for data removal services here. 3) Safeguard against identity theft and use identity theft protection: Hackers now have access to high-value information from the Ascension breach, including Social Security numbers and bank information. This makes you a prime target for identity theft. You might want to consider investing in identity theft protection, which can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals. Signing up for identity theft protection gives you 24/7 monitoring, alerts for unusual activity and support if your identity is stolen. See my tips and best picks on how to protect yourself from identity theft. 4) Set up fraud alerts: Requesting fraud alerts notifies creditors that they need extra verification before issuing credit in your name. You can request fraud alerts through any one of the three major credit bureaus; they'll notify the others. This adds another layer of protection without completely freezing access to credit. 5) Monitor your credit reports: Regularly check your credit reports through where you can access free reports from each bureau once per year or more frequently if you're concerned about fraud. Spotting unauthorized accounts early can prevent larger financial damage. 6) Change passwords and use a password manager: Update passwords on any accounts tied to compromised data. Use unique passwords that are hard to guess and let a password manager do the heavy lifting by generating secure ones for you. Reused passwords are an easy target after breaches. Consider password managers for convenience and security. Get more details about my best expert-reviewed password managers of 2025 here. 7) Be wary of social engineering attacks: Hackers may use stolen details like names or birthdates from breaches in phone scams or fake customer service calls designed to trick you into revealing more sensitive info. Never share personal details over unsolicited calls or emails. Social engineering attacks rely on trust, and vigilance is key. Attackers have frequently targeted Ascension, but the company does not seem to be learning its lesson. If it were a one-off incident, it might be understandable. But how do you fail to strengthen cybersecurity after experiencing a nationwide blackout? Rather than being an isolated event, this breach feels like part of a larger pattern. The industry relies on complex vendor networks and outdated IT systems, while cybercriminals continue to exploit emerging vulnerabilities. Should hospitals be penalized for neglecting basic cybersecurity practices? Let us know by writing us at For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Follow Kurt on his social channels: Answers to the most-asked CyberGuy questions: New from Kurt: Copyright 2025 All rights reserved.

Patient records should belong to patients
Patient records should belong to patients

Globe and Mail

time19-05-2025

  • Health
  • Globe and Mail

Patient records should belong to patients

Here's a revolutionary idea. Patients should have access to their personal medical information by default. Not after they make a specific request for it, potentially wait up to 30 calendar days for a response and possibly pay a fee for a copy of the records, as currently set out in various iterations of rules across provinces. By default means that when you go for, say, blood work, it's guaranteed that you, along with your doctor, will get a copy of the test results for free, in a timely manner and convenient format. The fact that this is a novel concept is a problem. Canadians have right to access their medical records if they wish to, with limited exceptions, according to a 1992 Supreme Court decision. Enabling patients to see their own information, the court noted, helps to ensure 'the proper functioning of the doctor-patient relationship,' both strengthening the trust in that relationship and protecting the well-being of the patient. Yet more than three decades later, being able to exercise that right often remains unnecessarily arduous. Only four in 10 Canadians currently access their health information electronically, recent data show. And sometimes patients or their authorized caregivers must resort to filing an access to information request to get their own or their family members' full medical records. This is simply unacceptable – and a symptom of the broader issue with how Canada handles medical records. The system treats doctors and other health care providers as custodians of the patient information that they collect or receive. Sensibly, that role comes with strict obligations to protect the records to ensure patients' privacy. But there generally aren't equally strong obligations to share that information where appropriate. For example, a doctor in Alberta may face a fine of up to $200,000 for violating the province's health privacy law. But a physician faces virtually no consequence for failing to share information when needed, a recent report found. And while sharing information is easier in the digital era, this framework has bred a system in which different bits of a patient's electronic record are held by different health care providers on a multitude of platforms that often can't communicate with each other. And that's not to mention cases where information and medical images are still sent by via fax or downloaded onto a CD. This fragmentation hinders medical innovation, makes it harder to formulate health policy and creates unnecessary frustration, stress and extra work for health care providers. There can be deadly consequences for patients. An emergency room doctor may not have immediate access to the records of patients. A radiology scan showing an abnormality may not make it back to the referring physician. Ultimately, Canadians may not get the care they need. There are efforts under way to tackle the problem. Some provinces now have centralized online portals where doctors and patients can find information such as lab test results. A federal bill had proposed national standards for electronic health information systems. That bill died when Parliament was prorogued but should be revived. Those are positive steps. But as Canada works to weave a coherent system for sharing health information, it should also establish the principle that patients are entitled to access their full medical records by default. Of course, there would continue to be limited exceptions, including in rare cases in which seeing the information would risk harm to the patient or others. There should be safeguards. No one should learn they have cancer by logging into a web portal. To that end, many of the platforms already delay the release of some information to patients to give doctors a chance to disclose it first. But electronic information means doctors no longer have to make physical copies of patients' records, in most cases. It no longer makes sense that Canadians should have to ask to see their information, often chasing after different providers for various pieces of their medical history. Records should be shared with patients as a matter of course, to enable Canadians to bridge some of the information gaps in the system. Patients are the common link among all their caregivers. And they are highly motivated to make sure no information is missed. After all, it is patients' information – they have a right to it. There should be nothing revolutionary about that thought.

N.W.T.'s medical record system under the microscope after 2 reported cases of snooping
N.W.T.'s medical record system under the microscope after 2 reported cases of snooping

CBC

time13-05-2025

  • Health
  • CBC

N.W.T.'s medical record system under the microscope after 2 reported cases of snooping

Medical records are among the most sensitive pieces of information that a government agency keeps on citizens. But these records are not impervious to snooping, as evidenced by two distinct cases reported this year by the Northwest Territories Information and Privacy Commissioner. The privacy commissioner issues reports on cases in which an investigation yields evidence of intentional and unauthorized access to private health information, commonly known as "snooping." This year, commissioner Andrew Fox publicly reported two distinct cases of snooping in electronic medical records. They both involved employees of the Northwest Territories Health and Social Services Authority (NTHSSA). Taken together, the cases illustrate vulnerabilities in the NTHSSA's electronic medical record (EMR) system. According to at least one expert, the EMR system doesn't appear to meet the highest ethical standards for patient privacy. An EMR is a digital version of a patient's medical history. It can include things like test results, X-rays and prescriptions. One of the cases published online this year by the privacy commissioner involves an instance in 2021 of an administrative clerk with NTHSSA deliberately opened a person's EMR and relayed some of their private health information to another person. The clerk did this "without consent and without lawful authority," wrote Fox. The clerk admitted to wrongdoing during an NTHSSA investigation, and was fired some months later. Fox called this a "particularly egregious, intentional privacy breach." He said the health authority's response was appropriate, but that the agency should have revoked the employee's EMR access as soon as it confirmed the breach. The health authority uses "role-based access" to the EMR system, meaning an employee's access is limited to what is necessary for their role. Fox noted that on occasions when the clerk was assigned to other roles, the NTHSSA didn't restrict her EMR access in accordance with those roles. 'I felt incredibly violated' The second case published this year involved two NTHSSA employees who, on multiple occasions, snooped in the medical records of a patient who wasn't in their care. The employees were siblings and the patient had previously been in a relationship with one of them. It wasn't until the patient filed a "record of activity" request in July of 2023 — a report on who had looked at her EMR — that she learned of the breach. "I was disgusted. I felt incredibly violated," said Maryse Gravelle, the patient who had her medical records snooped. "Our financial institutions have software in place to identify when there's a fraudulent charge possibly being made on our accounts," she said. "How can a banking institution have those sorts of safeguards in place, but there's no alerts on hospital software, on emergency medical records, to alert when there's a suspicious action in somebody's chart?" In his report, the privacy commissioner said the siblings' jobs granted them "broad access" to the EMR system. Their motivation for opening the patient's records seems to have been "curiosity proceeding from a personal relationship." Fox called the privacy breach a "deliberate and serious breach of trust," and said it caused the patient "significant distress." Both siblings admitted to misconduct, were suspended without pay for 10 days and had their EMR access revoked for at least 18 months. The health authority is required by law to notify a patient about a breach of their medical records "as soon as reasonably possible." In a statement, NTHSSA CEO Kim Riles said the health authority must investigate all reports of privacy breaches, and upon completion of an investigation, notify the affected people. "At times, the investigation process can take a significant amount of time," wrote Riles. She added the NTHSSA is reviewing its practices and "has committed to ensuring the notification occurs as soon as a privacy breach is confirmed, regardless of whether a full investigation has been completed." She said the agency accepted the privacy commissioner's recommendations and continues to improve and update mandatory training. Auditing EMRs 'a real challenge' Livia Kurinska-Hrdlickova is the territory's chief health privacy officer. She said routine audits check for suspicious activity in the EMR system, which if found, is flagged to the health authority. But Fox told CBC that auditing EMRs for instances of unauthorized access is "a real challenge." "If you looked at some random sample of employees looking at health records, there's really nothing that you could infer from the fact that a lab assistant looked at someone's medical record," he said. "You couldn't tell whether that was authorized or not." Neither of the two snooping cases Fox published this year were flagged by a routine audit. Kurinska-Hrdlickova explained that an employee with role-based access to the EMR system has gone through mandatory privacy training, and taken an oath of confidentiality. They need a patient's first and last name, and their date of birth or health-care number, to open their medical record. The system also relies on trust that employees with access will only use the EMR system when it's required for their work on a specific case. "Any system across Canada is not perfect," said Kurinska-Hrdlickova. "You never go to a zero risk, right? Because that's impossible." EMR system not structured 'according to ethics': expert As Fox noted, NTHSSA extended trust to the employees with EMR access, and the employees breached that trust. Eike Kluge, a University of Victoria biomedical ethics professor, said in the case of the siblings, the EMR system shouldn't have allowed them to open Gravelle's record in the first place. "There should be a challenge. Justify who you are and what right you have to access that record," he said. Kluge said the system shouldn't just flag improper access, it should prevent it. If the system isn't blocking improper access, "it's not properly structured," he said. "Certainly not according to ethics." Kurinska-Hrdlickova disagreed with Kluge's assertion and said the territory's EMR system complies with territorial privacy legislation. She also said the territory's EMR system is set to be replaced in the near future, and that the new system will have even stronger privacy protections. There isn't readily available data on the prevalence of medical record snooping in the N.W.T. or in Canada.

DOWNLOAD THE APP

Get Started Now: Download the App

Ready to dive into the world of global news and events? Download our app today from your preferred app store and start exploring.
app-storeplay-store