Recently, Baptist Health System confirmed that the company experienced a data breach stemming from an incident in which an unauthorized party gained access to the company’s computer network after installing a line of malicious code on the System’s website. According to the Baptist Medical Center, the breach resulted in the full names, dates of birth, addresses, Social Security numbers, health insurance information, medical information and billing information of affected patients being compromised. On June 16, 2022, Baptist Medical Center filed official notice of the breach and sent out data breach letters to all affected parties. The Baptist Health breach affected more than 1.2 million patients in Texas alone.
If you received a data breach notification, it is essential that you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Baptist Health System data breach, please see our recent piece on the topic here.
More Details About the Baptist Health System Data Breach
According to an official notice filed by the company, on April 20, 2022, Baptist Health System discovered that a malicious actor installed a line of code on the back-end of the organization’s website. In response, Baptist Health suspended the affected systems to restrict further access and began working with a cybersecurity firm to investigate the incident. While the investigation is ongoing, so far, Baptist Health has confirmed that an unauthorized third party was able to access certain systems that contained personal information and remove some data from the network between March 31, 2022 and April 24, 2022.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Baptist Health System then reviewed the affected files to determine exactly what information was compromised. While the breached information varies depending on the individual, it may include your full name, date of birth, address, Social Security number, health insurance information, medical information and billing information.
On June 16, 2022, Baptist Health System sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Baptist Health System is a health system based in San Antonio, Texas. The Baptist Health System consists of 65 locations, most of which are located in San Antonio and the surrounding areas. Baptist Health provides a wide range of healthcare services, including orthopedic care, neuroscience, cardiovascular care, emergency room care, obstetrics, and physical therapy. Baptist Health System employs more than 6,000 people and generates approximately $880 million in annual revenue.
Why It Is Important Healthcare Providers Ensure the Safety of Your Protected Health Information
Baptist Health reported that the recent data security incident affected a significant amount of patient data. Among the data types leaked were patients’ protected health information. Protected health information refers to identifying information relating to a patient’s past, present or future health condition. It can also refer to information pertaining to how a patient pays for their healthcare.
In the wake of a healthcare data breach, it is important to understand what’s at stake. Healthcare-related data, on its own, isn’t necessarily protected health information. However, if healthcare-related data also contains one or more “identifiers” that can be used to pair up the data with a specific patient, it is considered “protected health information.” Thus, when protected health information gets exposed, it means that, with a little work, hackers can identify the patient it belongs to.
The harms that can stem from a data breach involving protected health information are very real. As with the case in other types of data breaches, the data obtained through a healthcare data breach provides the hacker with the information they need to commit identity theft or other frauds. However, the sort of identity theft that follows in the wake of a healthcare data breach is much more invasive and harder to fix. It also often comes at a far greater cost to victims.
For example, cybercriminals who conduct healthcare data breaches will often do so in hopes of accessing valuable information they can then sell to a third party. The third-party purchases this data with the intention of using it to obtain medical care in the victim’s name—such as an expensive surgery. This carries financial consequences for the victim because either their insurance gets billed or, if they do not have coverage, they receive the bill in their name from her.
The other, more insidious risk is that a person obtaining care in your name provides the treating doctor or surgeon with information about themselves that ends up in your medical record. For example, a “fake patient” could provide a doctor with their own list of allergies or medications. This could mean the next time you go to the doctor they have incorrect information in your file. While one would hope healthcare professionals would catch such an error, it is far from a guarantee.