The Ohio Hospital recently reported they had been impacted by a third-party data breach.
What happened
TriHealth, a Cincinnati-based hospital providing primary care and a variety of services, recently faced a data breach.
In a November 6th breach notice posted to their website, the hospital said some patients may have been involved in a “third-party data breach.”
The company said they learned of the incident on October 23rd, 2024. One of their vendors had been the victim of a breach targeting historical electronic documents in storage. These documents were related to care provided by For Women, a previously independent OB/GYN group that had joined TriHealth in January 2020.
TriHealth stated that the incident did not involve TriHealth’s computer network or any records created after For Women joined TriHealth. The hospital has been a leading women’s healthcare provider and has shared that 1 in 3 babies in the Cincinnati area are delivered at TriHealth hospitals.
Going deeper
TriHealth analyzed the data involved and determined that accessed information includes names, addresses, dates of birth, Social Security numbers, claims information and clinical information, including medical conditions, medications, lab results, and more.
Currently, it’s unknown how many individuals may have been impacted.
In response, TriHealth is sending letters to individuals with a valid mailing address and offering complimentary identity theft protection services. TriHealth says they currently have “no reason to believe that any personal information has been misused for the purpose of committing fraud or identity theft.” The hospital does, however, recommend patients remain vigilant in monitoring for potential identity theft or fraud.
Why it matters
Incidents like these can be damaging to a hospital’s reputation. It can also lead to financial implications; many healthcare organizations that have been victimized by a data breach face class action lawsuits and potential penalties. On top of those costs, TriHealth may be incentivized to improve their current cybersecurity, leading to many expenses at one time.
For patients, data breaches can be frustrating. Breaches can lead to increased spam calls, emails, and mail. It also increases the risk of identity theft and fraud, which can be difficult situations to resolve once they start.
Outside of this, it’s common for healthcare organizations to outsource certain tasks to third parties, like TriHealth did. While this may be good for efficiency, it means patients don’t always know who has their data, thus making breaches more complex for patients to understand and navigate.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
