Professional Documents
Culture Documents
Ethicspaper Guymason
Ethicspaper Guymason
Ethicspaper Guymason
Mason Guy
Professor Amaro
Data breaches have become more common today despite all the security measures companies
take to protect company and user data. The severity of the data breach depends on the company
and how long it takes for the breach to get noticed. This paper will investigate AdventHealth, a
healthcare company, that was the subject of a data breach that went unnoticed for sixteen months
that allowed a hacker to view sensitive information on patients of the company. Due to the
severity of the data breach and the information that was taken, the response AdventHealth takes
is crucial to resolve the issue and protect their customers data. This paper will also review the
way AdventHealth responded to the breach and what was done to help their customers protect
themselves from any issues that might occur due to the information that was accessed.
3
ADVENTHEALTH DATA BREACH
AdventHealth Data Breach Response and Ethics
discovered in 2018 which allowed an unauthorized outside user to view patient’s sensitive
information over a sixteen-month period from August of 2017 to late December of 2018.
eleven states. They are headquartered in Altamonte Springs, Florida where they strive for quality
AdventHealth, founded in 1973, has more than 80,000 employees across nine states in
“physician practices, hospitals, outpatient clinics, skilled nursing facilities, home health agencies,
and hospice centers” to provide patients with quality care (AdventHealth, 2021). Their mission
statement states, “we believe health should be measured in terms of the whole person – body,
mind and spirit” adding that it is their mission/promise to “help your feel whole through
in over 44 categories of medicine including but not limited to Pulmonary and Sleep Medicine,
Behavioral Health, and Hematology. Seeing as they specialize in such a wide variety of
healthcare, it is expected that they hold a lot more patient’s sensitive information than most other
hospitals and healthcare locations. With that being said, a data breach could have a large impact
on those who expect their information to be safe in the hands of AdventHealth due to the type of
In late December of 2018, it was discovered that an unauthorized outside source had
cares for. Information included in this data breach was “health data, including names, Social
Security numbers, dates of birth, medical history”, and other information such as “insurance
4
ADVENTHEALTH DATA BREACH
carriers, phone numbers, and email addresses” (Loricca, 2019; Shepard, 2019). The unauthorized
user installed malware onto AdventHealth’s system in order to gain the access they did,
seemingly targeting only patient data as stated earlier (Alder, 2019). In total, 42,000 patients in
the Pulmonary and Sleep Medicine units had their information compromised due to the data
breach; the unauthorized user had access to AdventHealth’s server for a period of sixteen months
from August of 2017 to December of 2018 (Loricca, 2019). Due to the amount of time it took
before the breach was noticed, AdventHealth moved to the top of the list of “longest reported”
data breaches in “the healthcare sector” (Davis, 2019). This data breach was also one of 500
other healthcare related data breaches in 2018 alone; the 2018 data breaches make up a total of
“more than fifteen million patients whose records” and sensitive information were compromised,
making the total of compromised patients “triple from 2017” (Loricca, 2019). Due to the type of
information that was breached as well as the large number of patients that could and have been
impacted by the breach, AdventHealth had to respond quickly to stop any more information from
being breached and to help those impacted once the data breach had been found.
After the discovery of the data breach in late December of 2018, action was taken as fast
as possible. AdventHealth quickly notified the Department of Health and Human Services within
the sixty-day timeline required by Health Insurance Portability and Accountability Act, better
known as HIPPA (Davis, 2019). Unfortunately, some of those patients who were impacted by
the data breach were not notified until March 10th of 2019, which is thirteen days after the sixty-
day requirement set forth by HIPPA, due to AdventHealth waiting until January 25th of 2019 to
start sending notification letters (Davis, 2019; Adler, 2019). This delay of almost a month past
the identification of the breach, no matter the reason, not only keeps those impacted in the dark
when it comes to their very personal and sensitive information, it also directly breaks the HIPPA
5
ADVENTHEALTH DATA BREACH
requirements that could lead to further issues for AdventHealth. Once those who were impacted
were notified their data has been compromised, AdventHealth offered identity monitoring
services including, “complimentary credit monitoring, fraud consultation, and identity theft
restoration services through Kroll”, a corporate investigations and risk consulting firm, for a
period of twelve months (Adler, 2019). Along with the identity monitoring services being
statements” from their insurance providers for any signs of someone misusing their insurance
information that was a part of the data breach (Adler, 2019). After the malware that gave access
to patient information was removed and in order to hopefully prevent any new data breaches
from occurring, AdventHealth claimed to have “improved its processes to enhance auditing and
system safeguards” (Loricca, 2019). The best thing AdventHealth can do for the information of
its patients would be to implement regular “risk assessment and vulnerability scans”, allowing
breaches to be caught sooner when they occur and hopefully prevent any sensitive data from
anyone who should not have access to said information (Loricca, 2019). Implementation of more
security measures as time goes on will be vital to ensure all sensitive data, whether it is in
relation to the business/company or the customers, is protected from those who should not have
In conclusion, AdventHealth should have noticed the data breach a lot sooner than they
had. For sixteen months some of the most sensitive data of their own patients were available to
an unauthorized user putting over 42,000 people at risk. Although once the breach was noticed
AdventHealth responded as quickly as possible and offered a years’ worth of identity monitoring
software for free, the data of those impacted was already exposed to someone who should have
https://www.adventhealth.com/who-we-are
Alder, S. (2019, February 15). 16-Month malware infection at Florida Pulmonary & sleep
Medicine CENTER Impacts 42,000 PATIENTS. Retrieved February 13, 2021, from
https://www.hipaajournal.com/16-month-malware-infection-at-florida-pulmonary-sleep-
medicine-center-impacts-42000-patients/
Davis, J. (2019, February 15). 42,000 AdventHealth Patients impacted In YEARLONG data
adventhealth-patients-impacted-in-yearlong-data-breach
Loricca. (2019, February 21). AdventHealth: Healthcare data BREACH goes undetected for over
a year - Loricca AdventHealth data Breach undetected. Retrieved February 13, 2021,
from https://loricca.com/adventhealth-data-breach/
https://securitytoday.com/articles/2019/02/20/nearly-50000-adventhealth-patients-
impacted-in-yearlong-data-breach.aspx