Skip to main content

Analysis

Inova Health System Reports Breach Affecting More Than 1M Individuals

By Revenue Cycle Advisor  
   September 15, 2020

The information exposed did not include Social Security numbers, financial account information, or credit card/payment information, according to Inova.

A version of this article was first published September 15, 2020, by HCPro's Revenue Cycle Advisor, a sibling publication to HealthLeaders.

Inova Health System, a nonprofit healthcare provider based out of Merrifield, Virginia, reported a breach on September 9 affecting 1,045,270 individuals, according to the Office for Civil Rights (OCR) breach portal.

Inova was made aware on July 16 that Blackbaud, a third-party vendor used for fundraising efforts, experienced a wide-reaching security incident that may have exposed the personal information of Inova patients and donors, according to the security notice posted on Inova’s website.

Blackbaud experienced the ransomware attack in May. The company’s investigation concluded that a threat actor accessed and removed data, including information that Blackbaud maintained for Inova, from Blackbaud’s systems between February 7 and May 20.

Upon receiving notification of the attack, Inova conducted its own investigation. It determined that the information removed by the threat actor may have contained protected health information (PHI) of some of its patients and donors. The information may have included the following:

  • Addresses
  • Dates of birth
  • Dates of service
  • Donation dates and amounts
  • Full names
  • Hospital departments
  • Phone numbers
  • Provider names

The information exposed did not include Social Security numbers, financial account information, or credit card/payment information, according to Inova. Additionally, Inova’s electronic health record system was not impacted by the attack.

The accessed data was permanently destroyed and Blackbaud’s vulnerability has since been resolved, according to the Inova security notice.

While Inova does not believe any data will be misused or made publicly available, the company encourages individuals to take steps to protect their information. The preventive measures include placing a fraud alert and/or a security freeze on credit files and obtaining a free credit report.

Revenue Cycle Advisor combines all of HCPro's Medicare regulatory and reimbursement resources into one handy and easy-to-access portal. News is not just repeated from other sources. It is analyzed by our Medicare experts so professionals can comprehend any new rule and regulatory updates thoroughly. Learn more.


Get the latest on healthcare leadership in your inbox.