The MetroHealth System

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

MetroHealth System Data Breaches

The MetroHealth System in Cleveland, Ohio, has experienced multiple data breaches affecting patient information over the years.

Employee Access Breach

An employee at MetroHealth System was disciplined for inappropriately accessing patient medical records over a period starting in 2008 and continuing until 2023. The records accessed included names, birthdates, and clinical information, but financial data such as Social Security numbers or banking information was not accessed. There is no evidence that the information was misused. MetroHealth has notified all patients whose records were affected by this incident, in accordance with the Health Insurance Portability and Accountability Act (HIPAA). The health system is also taking steps to strengthen privacy processes and training to prevent future incidents[1][4].

Electronic Medical Records System Upgrade Breach

In April 2022, MetroHealth experienced a privacy breach affecting about 1,700 patients due to an upgrade to the health system’s electronic medical records system. During this upgrade, some patient records were released that inadvertently included data pertaining to other patients. The information released included patient names, dates of service, and provider names, but no personal, financial, or other health-related information was shared. MetroHealth began notifying affected patients and took steps to manage the situation[6][7][8][10][11].

Ransomware Attack on Vendor CaptureRx

In early 2021, a ransomware attack on CaptureRx, a Texas-based vendor for MetroHealth that manages 340b drug pricing programs, compromised the personal health data of an unknown number of MetroHealth patients. The breach, which was confirmed in February, involved unauthorized access to files containing patient names, birthdates, and prescription information. CaptureRx began notifying affected patients in late May and advised them to monitor their accounts and credit reports[2][3][9][12].

MetroHealth continues to work with CaptureRx and has taken measures to enhance the security of its systems and protect against future incidents. Patients affected by these breaches have been provided with information on how to safeguard their information and have access to toll-free information lines for further assistance[1][2][12].

Citations:

  1. https://www.cleveland.com/metro/2023/06/metrohealth-employee-disciplined-for-patient-data-breaches-since-2008-no-evidence-information-was-misused.html
  2. https://www.news5cleveland.com/news/local-news/cleveland-metro/ransomware-attack-on-metrohealth-vendor-compromises-patient-health-data-other-pharmacies-affected
  3. https://www.wkyc.com/article/news/health/metrohealth-capturerx-data-breach-security-incident-patient-information/95-c584a5d7-84fa-461b-a611-79ab108d7309
  4. https://www.hipaajournal.com/15-year-employee-privacy-breach-discovered-by-metro-health-system/
  5. https://www.cleveland.com/healthfit/2021/06/vendors-data-breach-affects-patient-information-at-metrohealth-neighborhood-family-practice.html
  6. https://www.wkyc.com/article/news/local/cleveland/metrohealth-data-breach-1700-patients/95-828cbbe8-18ce-4baf-bb0f-389d5e5e16c6
  7. https://fox8.com/news/about-1700-metrohealth-patients-affected-by-data-breach/
  8. https://www.cleveland.com/healthfit/2022/04/data-breach-at-metrohealth-affected-some-patient-records.html
  9. https://healthitsecurity.com/news/capturerx-data-breach-hits-metrohealth-system-16-others
  10. https://sos-vo.org/news/metrohealth-data-breach-involved-1700-patients
  11. https://www.infosecurity-magazine.com/news/metrohealth-data-breach-involved/
  12. https://www.cleveland19.com/2021/06/10/metrohealth-addresses-data-security-incident/
Breach Submission Date Apr 11, 2022
Converted Entity Name The MetroHealth System
Converted Entity Type Healthcare Provider
State OH
Individuals Affected 1,748
Breach Type Unauthorized Access/Disclosure

Breach Information Location Electronic Medical Record, Email, Paper/Films

Business Associate Present Yes