Metro Infectious Disease Consultants Report 172,000-Record Data Breach

Metro Infectious Disease Consultants Report 172,000-Record Data Breach

Healthcare organizations monitor thousands of patients. As a result, their networks act as repositories for thousands of files containing private information. As these repositories grow, they're alluring targets for hackers. From 2019 to 2020, cyberattacks against healthcare groups increased by 55%. Covid-19 rendered these groups more vulnerable to attack than before. Hackers exploited weaknesses in telehealth and work-from-home software. Thieves also targeted storage area networks dealing with a huge influx of patient data. Healthcare organizations must comply with HIPAA. The law obliges organizations to keep patient data safe. Unfortunately, it's hard to stay ahead of hackers. As we head into Autumn 2021, cybersecurity threats grow. In June, hackers targeted Metro Infectious Disease Consultants. The resulting breach exposed hundreds of thousands of patient files. Read on to learn more about how HIPAA regulates patient data security. Then, discover what went wrong for Metro Infectious Disease Consultants. Finally, learn how groups are tightening security--and what to do if your data is exposed.

What Is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act. In 1996, Congress passed HIPAA to empower patients. HIPAA grants patients several rights. Primarily, these rights help a person stay insured as they change jobs. HIPAA also makes sure insurance policies let people add family members to their plans. Most notably, though, HIPAA protects patients' private health information (PHI). Congress strengthened these protections in 1999. That year, Congress amended HIPAA with the Privacy Rule. It passed the amendment in 2000.

Privacy Rule

The Privacy Rule sets security standards. Healthcare organizations must protect patients' PHI with strategies that comply with HIPAA. Patients' privacy must be the default state. No healthcare group can share a patient's PHI unless that patient grants them permission. The patient must grant permission in writing. The only exceptions enable healthcare organizations to share PHI in life-or-death situations. Also, HIPAA grants patients the right to access their own PHI. Patients have the right to receive their own health information without significant barriers. Hackers and thieves don't ask permission. So, HIPAA requires organizations to implement data security measures. If hackers breach the healthcare group's security system, the group must notify patients.

Breach Notification Rule

HIPAA's Breach Notification Rule describes how healthcare groups must respond to a security breach. A healthcare group must first evaluate the likely degree of risk to patients as a result of the breach. To assess risk, the organization must consider different factors. These include:

  • The extent of breached information
  • Whether breached information contained identifying details
  • Who exposed the data
  • Whether or not unauthorized persons viewed or sold the data
  • What risk mitigation strategies the organization had in place

Some strategies, like encrypting data, mitigate risk significantly. If a hacker steals data, but can't decrypt it, the data is still safe. Not all threatening situations count as a breach. Notification Process If the risk level passes a reasonable threshold, the organization must notify different parties. Depending on different variables, the Breach Notification Rule may require an organization to notify:

  • Individual affected patients
  • All patients and partners (via general notice)
  • Media outlets (via press release)
  • The OCR Secretary (via the portal)
  • Congress (via breach report)

It must send all notifications within 60 days. OCR helps organizations file breach reports. If an organization has questions about filing a report, it can call OCR at (800)-368-1019. An organization can also contact an OCR representative by email. The Breach Notification Rule requires organizations to answer specific questions in the notification. The notification must address:

  • How did the breach happen?
  • What was the nature of the breached information? (i.e. film, prescription labels, etc)
  • What specific information did the breach expose?
  • How is the organization investigating the breach?
  • How is the organization mitigating risk?
  • How can affected individuals mitigate their risks?

If an organization doesn't notify responsibly, it may violate HIPAA. HIPAA violation carries its own risks.

HIPAA Enforcement

In most cases, patients cannot sue over HIPAA violations. Instead, when someone suspects a violation, they file a complaint with the regulatory department. The Department of Health and Human Services (HHS) enforces HIPAA. Specifically, the HHS' Office for Civil Rights (OCR) investigates alleged HIPAA violations. When OCR finds a healthcare organization in violation of HIPAA, it may impose penalties. These penalties might be fines, corrective action, or resolution agreements. In rare cases, OCR may find an individual or organization violated criminal law. In those cases, the offender could be arrested and sentenced in criminal court. Some states have additional laws protecting patients' privacy. In those states, patients may sue an organization that violated their rights.

Who Must Comply With HIPAA?

HIPAA regulates healthcare organizations. Any organization that uses patient data must comply with HIPAA. This includes:

  • Hospitals
  • Clinics
  • Medical practices
  • Emergency medical services
  • Health insurance companies
  • Third-party brokers
  • Clinical trial facilities
  • Healthcare technology companies

HIPAA does not regulate non-healthcare organizations. Only healthcare organizations will be held liable for HIPAA violations.

Metro Infectious Disease Consultants Breach

Metro Infectious Disease Consultants' security breach put 171,740 patients' data at risk. The group reported the breach within sixty days, in compliance with HIPAA. It is now taking steps to mitigate the risk.

Why Metro Infectious Disease Consultants?

Metro Infectious Disease Consultants (MIDC) is a diseases specialists group that acts as consultants to physicians. This group advises doctors who face challenging disease presentations. MIDC uses infectious disease expertise to improve diagnosis accuracy and treatment plan efficacy. It develops outpatient antibiotic therapies to combat rare infections or presentations. It also offers biologic infusion services. MIDC works with patients on behalf of physicians and with patients directly. Its hospital avoidance program tailors treatment plans to the needs of chronically ill patients. Metro Infectious Disease Consultants is based out of Chicago, Illinois. But, the group has offices in seven states. As a healthcare specialist, MIDC must comply with HIPAA regulations. As a large organization housing specialized patient data, it's an attractive target for hackers.

Employee Email Breach

MIDC leaders learned patient data might have been exposed on June 24th, 2021. They discovered an unauthorized party accessed an employee's email account. Using this employee's account, the party was able to access over one hundred thousand patients' PHI. In this case, PHI included:

  • Identifying patient information
  • Addresses
  • Insurance numbers
  • Prescriptions
  • Social Security Numbers
  • Other treatment information

It's unclear if the party successfully viewed the information. The party may not have been able to decode encrypted information. Or, the leaders may have detected the breach in time to cut off access. If so, it's possible the party didn't have time to copy or download the PHI. Despite uncertainties, MIDC confirmed the source of the breach. It is not the only group that's discovered email was a weak link in their security chain.

Email Vulnerability

Employee email accounts can be particularly vulnerable to hacking. Hackers may send an employee an email that contains a virus. The virus can then give the hacker access to the email account. Or, a hacker can figure out an employee's password if it isn't strong enough. Hackers use different tools to guess or crack a password. Guessing uses social engineering while cracking requires programs.


When leaders discovered the breach, they took action. MIDC hired a forensic security firm to investigate the breach. Computer forensics is a process that gathers evidence. It also analyzes the evidence from computer networks, hardware, and software to draw conclusions. The forensics firm can evaluate the security of MIDC's network and email systems. It can also recommend improvements to cybersecurity.


MIDC complied with HIPAA's Breach Notification Rule. On August 16, 2021, the consulting group reported the breach to OCR. OCR posted the notice to the list of breaches it's currently investigating. At the same time, MIDC notified patients and partners. The group notified patients individually. It also posted a public notice on its website. Per HIPAA regulations, MIDC put contact information in its public breach notice. Patients may contact MIDC to learn more about the breach. The contact options include an email address and a toll-free phone number.

Complimentary Risk-Mitigation Services

OCR continues to investigate the breach. In the meantime, MIDC is offering affected patients credits to pay for services. The services can help patients mitigate the risk of identity theft and financial problems post-exposure. Specifically, MIDC offers complimentary identity protection and credit monitoring services. Only affected patients can accept the credits.

Stay Safe After Data Exposure

Even with security, your data could be exposed in a breach. What should you do then? If your personal information is exposed, take steps to prevent financial fraud or identity theft. Hire a credit monitoring service. And, look into options to prevent identity theft. If you or the service detects fraud, take action. Report fraud to law enforcement. In rare cases, you may need to apply for a new Social Security ID. PHI exposure, in particular, introduces unique risks. You may fear discrimination based on your medical status. Knowledge is the best defense against discrimination. Know that it is illegal to discriminate against a person due to a medical condition. Anti-discrimination laws apply to employers, businesses, and government departments. If someone obtains your private medical data, remind them it's illegal to use it against you.

Can Your Organization Handle Cyber-Threats?

Healthcare organizations already know why to meet HIPAA regulations. But how can you best protect patients' data? As technology evolves, so do threats. HIPAA Exams offers over forty courses to help organizations meet the law's standards--no matter how savvy hackers get. Consider the course Security Awareness Training: Cybersecurity. This one-hour class teaches organizations about contemporary virtual threats. Then, it gives you the tools to stop them. Sign up today, or bundle it with other courses and save. Your patients will thank you.