MetroHealth System in Cleveland suffered a data breach that exposed the information of nearly 1,000 patients thanks to malware on three computers.
The news was first reported by Cleveland.com. The breach occurred when the health system found malware on three computers in its cardiac catheterization lab. The malware exposed data on patients who had procedures done in the lab from July 14, 2014 to March 21 of this year. According to the health system, a business associate disabled its antivirus software on those three computers to update another software application. The health system removed the malware on the 18th and "back-door" access to the computers on the 21st of March.
The information exposed included the patient’s name, date of service, date of birth, height, and weight; medications administered during the procedure, medical record number, case number (limited to only to that procedure), and cardiac catheterization raw data such as tracings of electrocardiogram (EKG) and oxygen saturation. The health system told Cleveland.com that it did not include financial data.
The health system said it will strengthen security and privacy protocols in light of this event, including the increasing of malware monitoring and reviewing antivirus updates.
