Baltimore-based LifeBridge Health and LifeBridge Potomac Professionals was hit by a malware attack that potentially exposed the private information of about 500,000 patients for more than a year, the officials said.

Officials said they discovered the breach on March 18, with a malware infection on its server that hosted LifeBridge Potomac Professional’s EHR and LifeBridge Health’s patient registration and billing systems.

However, the investigation that followed found the hackers first gained access to the EHR and servers on September 27, 2016. And the breached data included demographic information, dates of birth, medical history, clinical and treatment information, insurance data. For some patients, Social Security numbers were included.

[Also: The biggest healthcare data breaches of 2018 (so far)]

In addition to sending letters to patients as a precaution, officials said they have established a call center to answer questions. For those patients whose Social Security numbers were potentially involved, LifeBridge will offer a free one-year credit monitoring and identity protection service. 

“LifeBridge Health also recommends that patients review their billing statements and explanation of benefits they receive. If patients see services that they did not receive, they should contact the provider or insurer immediately,” a spokesperson told Healthcare Finance News in an emailed statement. “To help prevent something like this from happening again, LifeBridge has enhanced the complexity of its password requirements and the security of its system.”

LifeBridge Health serves Northwest Baltimore and includes Sinai Hospital of Baltimore, Northwest Hospital, Carroll Hospital, Levindale Hebrew Geriatric Center and Hospital, and its subsidiaries and affiliated units, including LifeBridge Health & Fitness and the LifeBridge Medical Care Centers in Eldersburg, Mays Chapel and Reisterstown. Sinai Hospital, Northwest Hospital and Carroll Hospital are all acute-care general hospitals with complementary clinical centers.

While the healthcare industry is slowing ramping up strategies and defenses against cybercriminals and their widely varied attacks, it's still considerably behind the curve set by other industries who have long treated it as a top-tier concern and integral part of operations. As these types of cyberattacks grow even more frequent and intricate, those threats must be looked at from a business risk perspective and treated with the same level of urgency as any other large marauding threat to the bottom line.

Twitter: @BethJSanborn
Email the writer: beth.sanborn@himssmedia.com