PHI of 320,000 Patients Possibly Exposed in EHR Vendor Hacking Incident

QRS Inc based in Tennessee, a company providing healthcare technology services, Paradigm practice management and electronic health records (EHR) solutions, has reported a data breach that affected the protected health information (PHI) of nearly 320,000 persons. The cyberattack was discovered on August 26, 2021, after three days of the actual server breach.

In its breach notification letters, QRS stated that a hacker acquired access to the electronic patient website and possibly viewed and exfiltrated the PHI of a number of of its healthcare company clients’ patients.

Upon discovery of the breach, QRS immediately took the compromised server offline to block the hacker’s unauthorized access and launched an investigation to find out the nature and extent of the breach.

With the help of a third-party computer forensics company, QRS confirmed that the breach only affected one server. Its QRS systems and those belonging to its clients were impacted. The compromised server had files that contained PHI like names, addresses, birth dates, Social Security numbers, patient ID numbers, portal usernames, and clinical treatment and diagnosis data.

QRS stated that unauthorized access and exfiltration of data cannot be eliminated, however, it isn’t aware of any incidents of attempted or actual patient data misuse.

On October 22, 2021, QRS began delivering notification letters to all impacted persons on behalf of its impacted healthcare company clients. Persons whose Social Security numbers were exposed got free access to identity theft protection services as a safety measure. QRS stated it is taking steps to evaluate and deal with the risk of the same incident happening later on.

Law enforcement was informed and the breach report was sent to the Department of Health and Human Services’ Office for Civil Rights (OCR). The OCR breach portal shows that the PHI of approximately 319,778 people was held on the breached server.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone