Northwest Arkansas Democrat-Gazette
Nashville hospital hit by data breach
NASHVILLE — A Howard County hospital is the latest Arkansas health care provider to announce a data security breach that could put patients and employees at risk, per a hospital release.
Howard Memorial Hospital became aware of suspicious network activity Dec. 4, the release says. An investigation discovered the potential for files to be stolen by an “unknown actor” between Nov. 14 and Dec. 4.
The hospital, located in Nashville, employs 250 employees and sees about 10,000 emergency department visits annually. The health care system, which includes outpatient clinics, had a gross revenue of $76 million during the 2021 fiscal year.
The U.S. Department of Health and Human Services Office for Civil Rights is required by law to post a public list of breaches of unsecured protected health information affecting 500 or more individuals.
So far in 2022, the department reports four previous hacking or information technology incidents for health care providers in Arkansas.
The four breaches accounted for 490,868 individuals affected this year, the report shows. The breaches happened at Mena Regional Health Care System, Independent Case Management, Magie Mabrey Hughes Eye Clinic and ARcare.
ARcare saw the largest breach with 345,353 individuals affected, the report says. The company provides comprehensive primary care and behavior services in clinics and medical centers in Arkansas, Mississippi and Kentucky, said a statement provided by the company in April.
Nationally, there have been 22 million individuals affected by hacking breaches of health care providers networks during 2022, according to the data report.
The Howard Memorial Hospital release states it has contacted federal law enforcement and plans to provide information to the U.S. Department of Health and Human Services. The hospital breach was not listed in the data report as of Thursday.
Hospital Administrative Director Sandy Webb said the breach originated outside the hospital. Details on how the data theft was discovered, the number of files affected and the potential financial impact were not immediately available.
Webb said while patient and employee files are stored on computer, the hospital does not use browser-based or mobile applications to grant access to the records.
The hospital hired an outside cybersecurity specialist immediately after learning about the possible breach in early December, the hospital’s release says. The unnamed company is helping to secure the network and investigate the activity.
A review of the “at-risk” files is continuing, the release says. Letters will be mailed to anyone potentially impacted by the breach. Those individuals will receive free credit monitoring and identity protection services.
Information potentially stolen could include a patient’s name, contact information, date of birth, social security, health insurance, medical record number, medical history, diagnosis, treatment and physician name. Employee records stolen could include name, contact information, date of birth, social security number and bank account information.