1

ADVENTHEALTH DATA BREACH

AdventHealth Data Breach Response and Ethics

Mason Guy

Florida State College at Jacksonville

ISM3013: Intro Info Tech Mngt

Professor Amaro

February 14, 2021

 2
ADVENTHEALTH DATA BREACH
Abstract

Data breaches have become more common today despite all the security measures companies

take to protect company and user data. The severity of the data breach depends on the company

and how long it takes for the breach to get noticed. This paper will investigate AdventHealth, a

healthcare company, that was the subject of a data breach that went unnoticed for sixteen months

that allowed a hacker to view sensitive information on patients of the company. Due to the

severity of the data breach and the information that was taken, the response AdventHealth takes

is crucial to resolve the issue and protect their customers data. This paper will also review the

way AdventHealth responded to the breach and what was done to help their customers protect

themselves from any issues that might occur due to the information that was accessed.
 3
ADVENTHEALTH DATA BREACH
AdventHealth Data Breach Response and Ethics

AdventHealth experienced a data breach by implementation of malware that was

discovered in 2018 which allowed an unauthorized outside user to view patient’s sensitive

information over a sixteen-month period from August of 2017 to late December of 2018.

AdventHealth is a faith-based healthcare company which provides services to patients across

eleven states. They are headquartered in Altamonte Springs, Florida where they strive for quality

service as well as high ethical standards.

AdventHealth, founded in 1973, has more than 80,000 employees across nine states in

“physician practices, hospitals, outpatient clinics, skilled nursing facilities, home health agencies,

and hospice centers” to provide patients with quality care (AdventHealth, 2021). Their mission

statement states, “we believe health should be measured in terms of the whole person – body,

mind and spirit” adding that it is their mission/promise to “help your feel whole through

compassionate care and world-class expertise” (AdventHealth, 2021). AdventHealth specializes

in over 44 categories of medicine including but not limited to Pulmonary and Sleep Medicine,

Behavioral Health, and Hematology. Seeing as they specialize in such a wide variety of

healthcare, it is expected that they hold a lot more patient’s sensitive information than most other

hospitals and healthcare locations. With that being said, a data breach could have a large impact

on those who expect their information to be safe in the hands of AdventHealth due to the type of

information they would have to hold onto as a healthcare provider.

In late December of 2018, it was discovered that an unauthorized outside source had

gained access to AdventHealth’s systems containing information on patients who AdventHealth

cares for. Information included in this data breach was “health data, including names, Social

Security numbers, dates of birth, medical history”, and other information such as “insurance
 4
ADVENTHEALTH DATA BREACH
carriers, phone numbers, and email addresses” (Loricca, 2019; Shepard, 2019). The unauthorized

user installed malware onto AdventHealth’s system in order to gain the access they did,

seemingly targeting only patient data as stated earlier (Alder, 2019). In total, 42,000 patients in

the Pulmonary and Sleep Medicine units had their information compromised due to the data

breach; the unauthorized user had access to AdventHealth’s server for a period of sixteen months

from August of 2017 to December of 2018 (Loricca, 2019). Due to the amount of time it took

before the breach was noticed, AdventHealth moved to the top of the list of “longest reported”

data breaches in “the healthcare sector” (Davis, 2019). This data breach was also one of 500

other healthcare related data breaches in 2018 alone; the 2018 data breaches make up a total of

“more than fifteen million patients whose records” and sensitive information were compromised,

making the total of compromised patients “triple from 2017” (Loricca, 2019). Due to the type of

information that was breached as well as the large number of patients that could and have been

impacted by the breach, AdventHealth had to respond quickly to stop any more information from

being breached and to help those impacted once the data breach had been found.

After the discovery of the data breach in late December of 2018, action was taken as fast

as possible. AdventHealth quickly notified the Department of Health and Human Services within

the sixty-day timeline required by Health Insurance Portability and Accountability Act, better

known as HIPPA (Davis, 2019). Unfortunately, some of those patients who were impacted by

the data breach were not notified until March 10th of 2019, which is thirteen days after the sixty-

day requirement set forth by HIPPA, due to AdventHealth waiting until January 25th of 2019 to

start sending notification letters (Davis, 2019; Adler, 2019). This delay of almost a month past

the identification of the breach, no matter the reason, not only keeps those impacted in the dark

when it comes to their very personal and sensitive information, it also directly breaks the HIPPA
 5
ADVENTHEALTH DATA BREACH
requirements that could lead to further issues for AdventHealth. Once those who were impacted

were notified their data has been compromised, AdventHealth offered identity monitoring

services including, “complimentary credit monitoring, fraud consultation, and identity theft

restoration services through Kroll”, a corporate investigations and risk consulting firm, for a

period of twelve months (Adler, 2019). Along with the identity monitoring services being

provided, AdventHealth advised the patients to “monitor their explanation of benefits

statements” from their insurance providers for any signs of someone misusing their insurance

information that was a part of the data breach (Adler, 2019). After the malware that gave access

to patient information was removed and in order to hopefully prevent any new data breaches

from occurring, AdventHealth claimed to have “improved its processes to enhance auditing and

system safeguards” (Loricca, 2019). The best thing AdventHealth can do for the information of

its patients would be to implement regular “risk assessment and vulnerability scans”, allowing

breaches to be caught sooner when they occur and hopefully prevent any sensitive data from

anyone who should not have access to said information (Loricca, 2019). Implementation of more

security measures as time goes on will be vital to ensure all sensitive data, whether it is in

relation to the business/company or the customers, is protected from those who should not have

access to that data.

In conclusion, AdventHealth should have noticed the data breach a lot sooner than they

had. For sixteen months some of the most sensitive data of their own patients were available to

an unauthorized user putting over 42,000 people at risk. Although once the breach was noticed

AdventHealth responded as quickly as possible and offered a years’ worth of identity monitoring

software for free, the data of those impacted was already exposed to someone who should have

never had access to that information.

 6
ADVENTHEALTH DATA BREACH
References

AdventHealth. (2021). Who we are. Retrieved February 13, 2021, from

https://www.adventhealth.com/who-we-are

Alder, S. (2019, February 15). 16-Month malware infection at Florida Pulmonary & sleep

Medicine CENTER Impacts 42,000 PATIENTS. Retrieved February 13, 2021, from

https://www.hipaajournal.com/16-month-malware-infection-at-florida-pulmonary-sleep-

medicine-center-impacts-42000-patients/

Davis, J. (2019, February 15). 42,000 AdventHealth Patients impacted In YEARLONG data

breach. Retrieved February 13, 2021, from https://healthitsecurity.com/news/42000-

adventhealth-patients-impacted-in-yearlong-data-breach

Loricca. (2019, February 21). AdventHealth: Healthcare data BREACH goes undetected for over

a year - Loricca AdventHealth data Breach undetected. Retrieved February 13, 2021,

from https://loricca.com/adventhealth-data-breach/

Shepard, S. (2019, February 20). Nearly 50,000 AdventHealth Patients impacted In

YEARLONG data breach. Retrieved February 13, 2021, from

https://securitytoday.com/articles/2019/02/20/nearly-50000-adventhealth-patients-

impacted-in-yearlong-data-breach.aspx