Pediatric EMR Vendor Hacked…. 2.2 Million Affected

hacking incident at a cloud-based electronic health records software vendor has surfaced

Pennsylvania-based Connexin Software Inc., which does business as Office Practicum, reported the hack to the U.S. Department of Health and Human Services on Nov. 11 and said it involved a network server.

Connexin in its breach notification statement lists about 120 pediatric practices affected by the incident.

In the statement, Connexin says that on Aug. 26, it detected “a data anomaly” on its internal network. A forensics investigation determined that an unauthorized third party had gained access to an internal computer network, removing some data contained in an “offline” patient data set used for data conversion and troubleshooting.

Connexin’s “live” electronic medical record system was not accessed, and the incident also did not affect any pediatric practice groups’ systems, databases or medical records systems, the statement says.

In any case, the range of patient data potentially compromised in the incident is wide. Connexin says patient information affected may have included name, guarantor name, parent/guardian name, address, email address, date of birth, Social Security numbers, health insurance information and medical and/or treatment information – including procedures, diagnosis, prescription information and physician names.

Financial information – such as billing claims, invoices and patient account identifiers used by providers – was also contained in the affected data set.

John Gunn, CEO, Token says the following:

“Hackers are known for chasing quick scores and fast payoffs, but surprisingly they also “invest” for the future. They have spent years cultivating fake identities on Facebook, LinkedIn, and other social media to commit crimes and they harvest data for future crimes as they did in this instance. Each year, more of the victims of this breach will celebrate their 18th birthday and become prime targets to have their identity stolen because the hackers already have their SSN and other key information.”

Total number of people affected: 2.2 million. That’s not trivial. Hopefully someone investigates this data breach and holds any parties who allowed this to happen to account.

UPDATE: I have additional commentary from Chad McDonald, Chief of Staff and CISO, Radiant Logic:

     “A breach of this size will have insurmountable repercussions for pediatric patients long after this is reported. The information obtained in this attack can be used for years in social engineering attacks, phishing attempts and more. Furthermore, while data conversion and troubleshooting practices are necessary, real patient data should almost never be used for this.”

Leave a Reply

%d bloggers like this: