A hacker breached the University of Virginia Health System, infecting physician devices with malware that allowed a hacker to access medical records of 1,882 patients for 19 months.

The Charlottesville-based health system discovered the breach on Dec. 23, 2017. However, the hacker first gained access on May 23, 2015. UVA Health System is currently sending notifications to the patients impacted by the breach.

By working with the FBI and performing an internal investigation, officials determined physician devices were infected with malware that allowed the hacker to view everything the physician viewed on the device at the same time.

[Also: The biggest healthcare data breaches of 2018 (so far)]

This means that for 19 months the hacker would have been able to view medical records and other patient documents. Officials said the investigation couldn’t rule out whether the hacker actually viewed the information.

The data impacted by the breach included patient names, diagnoses, treatments, dates of birth and addresses. According to officials, financial data and Social Security numbers weren’t included.

The health system is still working with the FBI on its investigation, but officials said that the hacker in question was arrested. The FBI found the hacker didn’t take, use or share patient information.

“UVA Health System apologizes for this incident and regrets any inconvenience or concern this causes our patients,” officials said in a statement. “To help prevent something like this from occurring in the future, UVA Health System has enhanced the security measures required to remotely access patient information.”

The incident highlights the need for organizations to routinely monitor their systems for any abnormalities that can alert the IT team to any unauthorized access.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com