After a server that contained information of about 180 Ohio State Medical Center students and patients was hacked in November, hospital and university representatives say action is now being taken.
The first names, last names and diagnosis of 30 patients that stayed in the hospital between the late 1980s and 2004 could have been accessed on the server at the medical center that was hacked Nov. 3, said David Crawford, communications director at the medical center.
“It was information that couldn’t be easily traced,” Crawford said.
Students at the medical center whose information was accessed is a different story, Crawford said.
The names and social security numbers of about 150 students at the hospital in 2006 were also on the server that was accessed. In 2006, the medical center used social security numbers to identify the students, a policy that has since been changed.
“We don’t use social security numbers to identify students anymore,” Crawford said.
The students received letters notifying them of the hacked server in mid-December, Crawford said, and the patients were notified about a week ago.
Crawford said it was the Information Technology Department that discovered the medical center breach, although he could not say how.
Julie Talbot-Hubbard, the chief information security officer at OSU, said IT looks for cyber vulnerabilities on a monthly basis, but this case was different.
“I was notified by an external individual and then my team basically went in, did the investigation and took the server offline,” Talbot-Hubbard said.
Alese Russell, a fifth-year in health information management, said she has experience seeing how things work behind-the-scenes in a hospital. She said because of how complex and intricate the systems are, there is always a risk.
“Documenting people electronically and having electronic records, there’s always a risk of something like that happening just like it would be with paper,” Russell said.
Yet Crawford said nothing like this has happened at the medical center before. But security breaches are nothing new at OSU.
On Oct. 22, 2010, the university discovered that a server, which fell under the responsibilities of the Office of the Chief Information Officer, had been breached and the identities of about 760,000 people had been jeopardized.
Amy Murray, assistant director of media relations at OSU, said in an email Monday that no “medical center patient records or student health records were involved” in the October 2010 breach.
While the IT department determines if there has been a breach, Ohio State Police have a say in whether the breach was accidental or a threat.
Captain Dave Rose of University police said there is a team made up of experts on computer intrusions that evaluate each discovered breach.
“Our part in the meeting is to determine whether or not there has been a criminal violation,” Rose said.
After that determination has been made, University police will take action.
Rose said that since he didn’t sit in on the meeting about this breach, he doesn’t know enough about the case to comment on who hacked the server, although he said he will know more in a day or two when the police report has been generated.
In the mean time, Crawford said the medical center is taking measures to increase its cyber security, whatever the cost.
“There’s always a cost to upgrading security levels, but that’s not a factor,” Crawford said. “Cost is not going to be a deterrent.”
Crawford did not have an estimate of how much it could cost to upgrade security. He did say that all servers will be inventoried to try to locate servers that might be vulnerable and add another level of security.
For victims of the hacking, the medical center has provided up to one year of credit protection through Debix, The Identity Protection Network, a company headquartered in Austin, Texas.
Crawford said it is good to take precautions in this matter, and the medical center is going to safeguard to the best of its ability.
“We don’t think that the information was actually taken,” Crawford said. “Because it was part of the server, we want people to be aware that there is that risk.”
