Ky. Community Hospital Hack Could Date Back Four Years

Parent company OH Muhlenberg on Nov. 13 disclosed a network intrusion at Muhlenberg Community Hospital that potentially impacts all its patients, payment guarantors, employees and some providers since, possibly, January 2012.

A “limited number” of computers were infected by a keystroke-logging program designed to capture information as users typed, company officials said.

The affected computers were used to enter patient financial details and health information, information about the people responsible for a patient’s bill and employee/contractor data. The details included, among other things, telephone numbers, date of birth, Social Security number, diagnoses/treatment information, and payment card data.

The firm believes the malware also could have stolen usernames and passwords for websites that users visited.

The hospital was informed of possible computer misuse by the FBI in September.

Upon learning of the “suspicious network activity involving third parties,” the hospital took “immediate action” and confirmed that the computers had been compromised, officials said.

After detecting the malicious software, “the hospital took prompt steps to address and contain it,” including immediately blocking unauthorized IP addresses involved in the attack and taking steps to disable the malware, officials added.