The Texas healthcare provider recently filed a notice of data breach with the Department of Health and Human Services (HHS).
The Company
Elitecare Emergency Hospital is located in League City, Texas, and has been serving the Galveston County community for over ten years. The organization provides emergency services, including care for adults and children, imaging and radiology, laboratory services, cardiology, and more. Elitecare offers 24/7 emergency room and urgent care services.
While the hospital operates in Galveston County, it serves the southeast side of Houston, one of the largest metropolitan communities in the United States with over 7.5 million residents.
The Breach
According to a notice posted to Elitecare’s website, the hospital announced a data breach on September 16th of this year.
Elitecare described the incident as involving “unauthorized access to personal information and/or protected health information” in its network.
The hospital said their team identified suspicious activity on its computer systems on July 10th. To prevent further activity, Eltiecare disconnected and turned off all systems. They also contacted a cybersecurity incident response team to help investigate and resolve the incident.
The team determined the incident was a cyberattack on July 17th and that the intruder successfully accessed protected health information (PHI).
Currently, Elitecare believes that impacted individuals had contact information (including names, addresses, dates of birth, phone numbers, and email addresses) and one or more of the following:
-
Health insurance information, including health plans/policies, member and group ID numbers, and Medicaid/government payor ID numbers);
-
Health information, including medical record numbers, providers, diagnoses, medicines, test results, care, and treatment;
-
Billing, claims, and payment information, including claim numbers, account numbers, and balance due;
-
Additional personal information, including Social Security numbers, driver’s licenses, or state ID numbers.
According to their notice, Elitecare did not have a current estimate of impacted patients. However, they reported to the HHS that approximately 24,754 individuals had data accessed. The case is listed as under investigation by the HHS, so this number may change.
What Elitecare is Doing Next
Elitecare Emergency Hospital said in a statement that “the safety, privacy, and security of our patients are our priorities. Elitecare, along with leading external industry experts, continue to monitor the internet and dark web for any indication that the affected personal information is being circulated.”
Currently, Elitecare does not have reason to believe that any PHI has been released. The hospital said they are now taking steps to reinforce their policies and implement “additional technological safeguards to reduce the risk of similar incidents in the future.”
Elitecare has created a website offering additional support services, including how impacted individuals can access free credit monitoring, website scanning (to determine if personal information is on the dark web), and ID theft insurance.
Impacts on Victims
Unfortunately, data breaches are becoming increasingly common, especially in healthcare. For many patients, having this information exposed could place them at an increased risk for credit fraud, identity theft, or medical insurance theft.
Increasing breaches also have a compounding impact; as more data finds its way onto the dark web, bad actors may be able to compile various breaches to create a more complete profile of victims that can escalate theft and fraud efforts.
Even patients who don’t face financial implications may face other frustrating consequences; victims may become more prone to scam calls, phishing emails, or spam letters. Unfortunately, these attackers may try to access funds or gain further information from victims.
Consequences for Elitecare
While Elitecare has vowed to improve security, it’s likely that they will face continued repercussions for the data breach. Even as attackers become more sophisticated and data breaches seem more common than ever, the responsibility for data security remains on healthcare organizations.
According to recent reports on data breach legal cases, class action lawsuits “exploded” in 2023, and with the emergence of generative AI, they are expected to only increase in throughout 2024 and beyond. “We have entered a period of increased threats and heightened stakes in the valuation of class actions. The massive numbers will only work to further motivate the plaintiff’s bar in 2024 to increase filing and assert even more aggressive settlement positions,” said Gerald Maatman, Jr, a partner at law firm Duane Morris.
As far as the outcomes of these cases, the report stated that “less than 25% of the class certification decisions issued in data breach cases in 2023 came out in favor of plaintiffs.” Across all class action and government enforcement settlements, more than $50 billion was generated in 2023 alone.
For smaller practices, the financial impacts of the breach compounded with lawsuits can be severe. In 2023, one hospital even linked its closure to a ransomware event.
While most practices survive the financial implications, they still have to recover reputationally and will likely face increased scrutiny from governing bodies. Ultimately, once a breach has impacted a hospital, its impact can only be mitigated; it can never be undone.
How Cloudticity Can Help
Recent data shows breaches are increasingly targeting healthcare data because of its value on the dark web. Despite the threat, a shortage of cybersecurity experts leaves institutions vulnerable and ill-prepared.
But Cloudticity can help.
As a HITRUST certified organization with over 10 years as a leader in managed security for healthcare, we’ve never suffered a data breach. Despite an ever-evolving threat landscape with more sophisticated actors than ever, we’ve kept organizations secure and trusted. We use a proven security tech stack with the best cybersecurity experts, ensuring your data is safe and any vulnerabilities are promptly addressed.
While attacks, and the associated costs, are rising, Cloudticity helps organizations focus their resources on serving patients instead of security concerns.
If you want to learn more about how we can help protect your organization from network attacks, reach out for a free consultation today.
