On August 9, 2021, Texas ENT (Ear, Nose, and Throat Specialists) was exposed to a cyberattack that led to a medical data breach of 535,489 patients. 

On October 19, Texas ENT learned about the data breach. Further investigation showed that the attack occurred between August 9 and August 15. During these six days, hackers got access to ENT computers and copied medical files that contain sensitive data.

On December 10, 2021, Texas ENT started sending emails to patients, notifying them about data theft. 

What are the consequences of such an attack for both affected individuals and Texas ENT and what is ENT doing to strengthen their security?

Which Sensitive Data Has Been Stolen in the Breach?

Texas ENT operates in 15 different locations that offer medical care in a variety of areas. This includes centers that specialize in plastic surgery, hearing, voice recovery, and allergies.

To get an appointment in any of the ENT centers, patients must fill in a form containing their name, email address, cell phone number, and date of birth - giving access to information that's valuable to hackers.

Once accepted for treatment, patients trusted Texas ENT with additional sensitive information.

Sensitive data that has been stolen in a recent breach includes social security numbers, patients' names, birth dates, medical record numbers, social security numbers, and codes for billing.

Hackers weren't able to get unauthorized access to part of the system that holds electronic medical records that hold files with a history of medical treatments and details of patient care.

ENT also highlighted that the files that were stolen and copied didn't contain the social security numbers of all patients. 

Patients whose social security numbers were in the stolen files that have been notified about the incident on December 10 and were offered free identity monitoring services.

All patients that received the email were asked to take extra precautions when reviewing statements, they get from healthcare providers.

Any stolen data could have given hackers information that could have led to fraudulent activities and made it easier for hackers to misrepresent a healthcare authority. 

Patients have been especially vulnerable during the period they've been unaware of the breach because they didn't expect possible illicit activities.

Read also: Microsoft Data Breach Exposes 38 Million Personal Details of People, Including Social Security Numbers, Vaccination Record

Texas ENT Working on Strengthening of the Security

In their security incident notice, Texas ENT states:

"To help prevent something like this from happening again, we are further strengthening our existing privacy and information security program by implementing additional safeguards and technical security measures to protect and monitor our systems."

Further details on their plan to strengthen their systems or even the cause of the cyberattack haven't been disclosed. 

It's also not clear whether Texas ENT had security measures and protocols that adhere to industry standards in the first place. Or if they could've helped them avoid this major data breach.

Healthcare organizations such as ENT must follow Health Insurance Portability and Accountability Act (HIPAA)

HIPAA law governs proper security measures healthcare organizations must take to keep medical information safe. 

It details how to guard medical information regarding physical, administrative, and technical levels within the organization.

The law stresses the importance of having software that safeguards access to sensitive data from external threats (such as a Firewall). It also covers the necessity of employee training in cybersecurity to reduce the change of human errors. 

As for preventive measures, it emphasizes the importance of frequent scanning for threats and having a proper monitoring process that detects suspicious activities early.

Following the breach, regular protocol that organizations follow includes:

  • Analyzing details that led to the incident

  • Improving systems that protect businesses from different types of attacks

  • Patching up any flaws that caused an attack

  • Scanning for uncovered vulnerabilities

The exact type of data breach or whether vulnerabilities that hackers have exploited to get into the ENT system have been mitigated since are yet unknown. 

Read also: Top 6 Security Measures for Preventing Data Breaches

Possible Lawsuit on the Horizon

Texas ENT is currently being investigated by a law firm that specializes in healthcare data breaches. 

They have yet to determine if they have notified patients in time, if proper security measures were in place before the attack, and whether they have informed all affected individuals about the attack and data breach. 

Affected individuals are invited to contact a privacy attorney to review whether they're eligible to file a lawsuit due to the data breach. Another option they have is joining other plaintiffs in the class lawsuit.

Texas ENT offers top-rated care to their patients. It's time that they offer top-notch security and privacy for their patients who trust them with sensitive data as well.