Keystone First
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
In August 2022, Keystone Health, a Pennsylvania-based healthcare system, experienced a significant data breach that potentially impacted the personal health information (PHI) of over 235,000 individuals. The unauthorized access to Keystone Health’s systems occurred between July 28, 2022, and August 19, 2022. The breach was discovered when a glitch caused the organization’s systems to go offline temporarily. Keystone Health promptly reported the incident to law enforcement and engaged a third-party cybersecurity firm to investigate the breach[2][5].
The investigation revealed that the unauthorized access resulted in the exposure of sensitive patient information, including names, Social Security numbers, and clinical information. This breach raised concerns about the potential for identity theft and fraud, as the stolen data could be used to access banking, retirement funds, and other financial information, as well as to impersonate victims to pharmacies or insurance companies[2].
In response to the breach, Keystone Health began sending notification letters to affected individuals on October 14, 2022, and offered free credit monitoring services to eligible victims. The organization also established a dedicated hotline for affected individuals to seek assistance[2].
Legal actions followed the breach. A class action lawsuit was filed against Keystone Health, alleging negligence for failing to implement minimum industry standards for protecting patient data. The lawsuit sought damages, equitable and injunctive relief, including a requirement for Keystone Health to ensure it has an effective and comprehensive security program[10]. Another lawsuit, filed on behalf of a minor child and others similarly situated, sought injunctive and other equitable relief due to the breach[3].
In response to the legal actions and the breach, Keystone Health agreed to a settlement that included the implementation of enhanced security measures, such as enhanced password protocols, vulnerability monitoring, and employee cybersecurity training. The settlement also provided for credit monitoring and insurance services, as well as cash payments for documented losses related to the breach[4].
The breach and its aftermath highlight the importance of robust cybersecurity measures and the potential consequences of failing to protect sensitive patient information adequately.
Citations:
- https://healthitsecurity.com/news/keystone-health-data-breach-impacts-phi-of-235k-individuals
- https://www.idstrong.com/sentinel/keystone-health-data-breach/
- https://www.classaction.org/media/whitehead-v-keystone-health.pdf
- https://keystoneclassaction.com/en/Home/FAQ
- https://www.databreaches.net/keystone-health-notifies-235237-patients-of-data-security-breach/
- https://www.keystonefirstpa.com/pdf/provider/resources/manual-forms/manual/provider-manual.pdf
- https://www.law.com/thelegalintelligencer/2022/10/20/keystone-health-hit-with-class-action-over-data-breach-allegedly-exposing-info-of-235k-patients/
- https://www.classaction.org/media/brake-v-keystone-rural-health-center.pdf
- https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
- https://www.hipaajournal.com/lawsuits-filed-against-oakbend-medical-center-and-keystone-health-over-data-breaches/
- https://www.hipaajournal.com/235000-keystone-health-patients-affected-by-august-2022-cyberattack/
- https://casetext.com/case/keystone-care-admin-servs-inc-v-grossinger-2
- https://www.keystonefirstpa.com/provider/resources/communications/hipaa/committment.aspx
- http://shublawyers.com/news/keystone-final-approval/
- https://www.keystonefirstpa.com/pdf/member/privacy.pdf