Information Regarding Vendor Data Security Incident
Box Butte General Hospital (BBGH) recently learned of a security incident involving unauthorized access to a database belonging to FastHealth, a vendor that maintained BBGH's online Web Nursery page from 2008 to 2015. Even though BBGH no longer uses FastHealth for the Web Nursery, FastHealth retained some of the personal information of certain individuals who used the BBGH Web Nursery service. BBGH recently sent letters to all impacted individuals for whom BBGH has valid addresses by U.S. mail. FastHealth provided BBGH with the following information that explains the incident.
On November 2, 2017, Fast Health received a report from law enforcement that an unauthorized third party may have acquired certain FastHealth databases. FastHealth immediately began an investigation and hired a leading computer security firm to assist with the investigation. FastHealth determined that, in mid-August 2017, an unauthorized third party was able to access FastHealth's web server and may have been able to acquire information from certain databases. BBGH was notified of this incident on December 29, 2017.
The incident did not affect all BBGH patients. It only affected certain individuals that used the BBGH Web Nursery service from 2008 to 2015. None of BBGH's systems were affected; the incident only affected FastHealth's web server.
The information that may have been affected includes newborn infants' first and middle names, dates of birth and birth statistics (sex, length, and weight); parent(s)' first name; comments/captions that may have been included on the Web Nursery page; the code used to access the Web Nursery page; and the newborn photos.
Under the HIPAA regulations, BBGH is required to tell affected individuals what they can do to protect from misuse of their protected health information. In general, to protect against misuse of protected health information, including medical identity theft, it is recommended that you:
- Closely monitor any "Explanation of Benefits" or "EOB" sent by an insurance company or other entity that pays medical bills. These entities often send out notices in the mail that describe recent medical events. Pay attention to these and contact your health care provider if they look suspicious.
- Request a copy of current medical records from each health care provider. Look them over to make sure that the information is familiar. Report any errors or suspicious information to the health care provider.
- Request an accounting of disclosures. This is a benefit of HIPAA. You can request a list of all the times medical information has been shared for certain activities along with the reason for sharing.
FastHealth has stated that it is taking steps to prevent this type of incident from happening in the future – including implementing a new encryption solution and strengthening their data protection and security protocols to limit the potential exposure of protected health information. We are requesting that FastHealth delete this information from their database. We deeply regret any concern this incident may cause our patients. To learn whether your child's information was included in the breach, you can contact Julie Sheldon, Privacy Officer, at 308-761-3397 or e-mail at firstname.lastname@example.org