The MetroHealth System
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
MetroHealth System Data Breaches
The MetroHealth System in Cleveland, Ohio, has experienced multiple data breaches affecting patient information over the years.
Employee Access Breach
An employee at MetroHealth System was disciplined for inappropriately accessing patient medical records over a period starting in 2008 and continuing until 2023. The records accessed included names, birthdates, and clinical information, but financial data such as Social Security numbers or banking information was not accessed. There is no evidence that the information was misused. MetroHealth has notified all patients whose records were affected by this incident, in accordance with the Health Insurance Portability and Accountability Act (HIPAA). The health system is also taking steps to strengthen privacy processes and training to prevent future incidents[1][4].
Electronic Medical Records System Upgrade Breach
In April 2022, MetroHealth experienced a privacy breach affecting about 1,700 patients due to an upgrade to the health system’s electronic medical records system. During this upgrade, some patient records were released that inadvertently included data pertaining to other patients. The information released included patient names, dates of service, and provider names, but no personal, financial, or other health-related information was shared. MetroHealth began notifying affected patients and took steps to manage the situation[6][7][8][10][11].
Ransomware Attack on Vendor CaptureRx
In early 2021, a ransomware attack on CaptureRx, a Texas-based vendor for MetroHealth that manages 340b drug pricing programs, compromised the personal health data of an unknown number of MetroHealth patients. The breach, which was confirmed in February, involved unauthorized access to files containing patient names, birthdates, and prescription information. CaptureRx began notifying affected patients in late May and advised them to monitor their accounts and credit reports[2][3][9][12].
MetroHealth continues to work with CaptureRx and has taken measures to enhance the security of its systems and protect against future incidents. Patients affected by these breaches have been provided with information on how to safeguard their information and have access to toll-free information lines for further assistance[1][2][12].
Citations:
- https://www.cleveland.com/metro/2023/06/metrohealth-employee-disciplined-for-patient-data-breaches-since-2008-no-evidence-information-was-misused.html
- https://www.news5cleveland.com/news/local-news/cleveland-metro/ransomware-attack-on-metrohealth-vendor-compromises-patient-health-data-other-pharmacies-affected
- https://www.wkyc.com/article/news/health/metrohealth-capturerx-data-breach-security-incident-patient-information/95-c584a5d7-84fa-461b-a611-79ab108d7309
- https://www.hipaajournal.com/15-year-employee-privacy-breach-discovered-by-metro-health-system/
- https://www.cleveland.com/healthfit/2021/06/vendors-data-breach-affects-patient-information-at-metrohealth-neighborhood-family-practice.html
- https://www.wkyc.com/article/news/local/cleveland/metrohealth-data-breach-1700-patients/95-828cbbe8-18ce-4baf-bb0f-389d5e5e16c6
- https://fox8.com/news/about-1700-metrohealth-patients-affected-by-data-breach/
- https://www.cleveland.com/healthfit/2022/04/data-breach-at-metrohealth-affected-some-patient-records.html
- https://healthitsecurity.com/news/capturerx-data-breach-hits-metrohealth-system-16-others
- https://sos-vo.org/news/metrohealth-data-breach-involved-1700-patients
- https://www.infosecurity-magazine.com/news/metrohealth-data-breach-involved/
- https://www.cleveland19.com/2021/06/10/metrohealth-addresses-data-security-incident/