Keystone First

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

In August 2022, Keystone Health, a Pennsylvania-based healthcare system, experienced a significant data breach that potentially impacted the personal health information (PHI) of over 235,000 individuals. The unauthorized access to Keystone Health’s systems occurred between July 28, 2022, and August 19, 2022. The breach was discovered when a glitch caused the organization’s systems to go offline temporarily. Keystone Health promptly reported the incident to law enforcement and engaged a third-party cybersecurity firm to investigate the breach[2][5].

The investigation revealed that the unauthorized access resulted in the exposure of sensitive patient information, including names, Social Security numbers, and clinical information. This breach raised concerns about the potential for identity theft and fraud, as the stolen data could be used to access banking, retirement funds, and other financial information, as well as to impersonate victims to pharmacies or insurance companies[2].

In response to the breach, Keystone Health began sending notification letters to affected individuals on October 14, 2022, and offered free credit monitoring services to eligible victims. The organization also established a dedicated hotline for affected individuals to seek assistance[2].

Legal actions followed the breach. A class action lawsuit was filed against Keystone Health, alleging negligence for failing to implement minimum industry standards for protecting patient data. The lawsuit sought damages, equitable and injunctive relief, including a requirement for Keystone Health to ensure it has an effective and comprehensive security program[10]. Another lawsuit, filed on behalf of a minor child and others similarly situated, sought injunctive and other equitable relief due to the breach[3].

In response to the legal actions and the breach, Keystone Health agreed to a settlement that included the implementation of enhanced security measures, such as enhanced password protocols, vulnerability monitoring, and employee cybersecurity training. The settlement also provided for credit monitoring and insurance services, as well as cash payments for documented losses related to the breach[4].

The breach and its aftermath highlight the importance of robust cybersecurity measures and the potential consequences of failing to protect sensitive patient information adequately.

Citations:

  1. https://healthitsecurity.com/news/keystone-health-data-breach-impacts-phi-of-235k-individuals
  2. https://www.idstrong.com/sentinel/keystone-health-data-breach/
  3. https://www.classaction.org/media/whitehead-v-keystone-health.pdf
  4. https://keystoneclassaction.com/en/Home/FAQ
  5. https://www.databreaches.net/keystone-health-notifies-235237-patients-of-data-security-breach/
  6. https://www.keystonefirstpa.com/pdf/provider/resources/manual-forms/manual/provider-manual.pdf
  7. https://www.law.com/thelegalintelligencer/2022/10/20/keystone-health-hit-with-class-action-over-data-breach-allegedly-exposing-info-of-235k-patients/
  8. https://www.classaction.org/media/brake-v-keystone-rural-health-center.pdf
  9. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
  10. https://www.hipaajournal.com/lawsuits-filed-against-oakbend-medical-center-and-keystone-health-over-data-breaches/
  11. https://www.hipaajournal.com/235000-keystone-health-patients-affected-by-august-2022-cyberattack/
  12. https://casetext.com/case/keystone-care-admin-servs-inc-v-grossinger-2
  13. https://www.keystonefirstpa.com/provider/resources/communications/hipaa/committment.aspx
  14. http://shublawyers.com/news/keystone-final-approval/
  15. https://www.keystonefirstpa.com/pdf/member/privacy.pdf
Breach Submission Date Jan 02, 2024
Converted Entity Name Keystone First
Converted Entity Type Health Plan
State PA
Individuals Affected 1,965
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes