The University Health System is in the process of notifying 1,882 patients about a security breach that occurred between May 2015 and December 2016 where an unauthorized Ohio man, Phillip Durachinsky, may have been able to view patient information. The University Health System issued a disclosing the matter Wednesday.
According to court documents, Durachinsky was indicted Jan. 10 in the United States District Court for the Northern District of Ohio on allegations of accessing and damaging protected computers, production of child pornography, aggravated identity theft and illegal wiretap. Durachinsky was involved in his scheme “to access protected computers without permission” from around 2003 through January 2017, the indictment reads.
According to the indictment, Durachinsky accessed computers owned by “local, state and federal governments, a police department, companies, individuals and schools,” including the University of Virginia. Durachinsky developed a computer malware known as “Fruitfly” which he installed into the thousands of computers he breached, the indictment states.
The University Health System became aware of the situation in December 2017, and conducted an internal investigation in partnership with the Federal Bureau of Investigation to determine the cause and details of the situation. The investigation discovered that the Fruitfly malware was downloaded on a physician’s computer, allowing Durachinsky to simultaneously view opened data on the computer at the same time as the physician.
Due to the ability of the physician to conduct business and access records from his computer, “the third party may have been able to view some patient information, which may have included patients’ names, diagnoses, treatment information, addresses and dates of birth,” the release said. However, the third party was unable to view patients’ Social Security numbers and financial information.
Regina Verde, University Health System chief corporate compliance and privacy officer, said the University Health System found out of the security breach upon notification from the FBI.
“We were notified by the FBI that we were the victim of a crime of this malware operator,” Verde said.
Verde also stated the University Health System was not the only victim of the crime and the third party was arrested before the FBI began notifying involved victims.
“The FBI arrested this malware operator and then after screening his technology, they began notifying the victims of [his] crime,” Verde said. “We were not the only victim and when they notified us, then we began our investigation into the incident.”
“Based on information from the FBI, we did learn that this operator did not have an interest in using or further disclosing any patient information,” Verde added.
Verde said following the revelation of the incident, the University Health System performed a security analysis and acted accordingly to implement new security controls in order to continue to protect patient confidentiality.
“We did an analysis and determined that we could make some additional enhancements to our information security controls on patients’ information,” Verde said. “We have made some additional controls, put them into place.”
Verde emphasized the health system’s priority in maintaining the privacy and confidence of patients.
“We take our patients’ confidential information very seriously,” Verde said. “We strive our very best to keep it private and secure and we will continue to do so going forward.”
The University Health System is continuing to cooperate with the FBI in an ongoing investigation. Patients with questions or concerns should call (866) 291-7429.