QRS, an electronic health record (EHR) vendor based in Tennessee, has reported the detection of a portal data breach that exposed the private information of nearly 320,000 individuals. Keep reading to learn more about the incident and how HIPAA compliant email can help you steer clear of future threats.
QRS first discovered that a hacker had gained access to one of their dedicated patient portal servers on August 26. Upon learning of the attack, QRS immediately took the server offline and alerted law enforcement. The company also worked with a forensic firm to verify the security of its network, evaluate the breach, and determine the full scope. The investigation found that the attacker accessed the portal from August 23 to August 26 and potentially acquired files with patients’ personal and protected health information (PHI) during that period. The breached data may have included individuals’ names, birth dates, addresses, portal logins, medical treatment details, and Social Security numbers.
How is QRS responding to the attack?
QRS distributed written letters to all known contacts whose personally identifiable information (PII) was accessed by the attacker and coordinated complimentary identity theft protection services for patients who had their Social Security numbers exposed. A confidential inquiry line has also been provided which potentially affected individuals can call for additional information. Although the company has not confirmed any identity theft or fraud in connection to the event, individuals are advised to carefully review account statements and credit reports as a precautionary measure. According to the notice, “QRS is taking steps to assess and address the risk of a similar incident occurring in the future.”
Best practices to minimize your risk
This incident serves as an important reminder for healthcare organizations to evaluate their existing systems and proactively close security gaps. Some strategies include conducting regular audits and vulnerability scans, implementing role-based access controls, replacing outdated systems, and investing in cybersecurity training for staff. The QRS breach also highlights that patient portals aren’t always as secure as they seem. While they may give off the appearance of extra privacy, these tools don't guarantee more protection than other encryption methods and credentials can still be compromised. In fact, the recent rapid adoption of this technology has made patient portals a key target for cyberattacks.
That’s why covered entities should turn to HIPAA compliant email for a safer way to keep patients engaged while protecting PHI. Built to conveniently integrate with your current email platform such as Google Workspace or Microsoft 365, Paubox Email Suite sends HIPAA compliant email by default and automatically encrypts every outbound message. This means you don’t have to spend time choosing which emails to encrypt and your patients are able to receive your emails directly in their inbox without having to navigate any separate portals or passwords.
Paubox Email Suite’s Plus and Premium plan levels also include advanced inbound email security tools for further protection. Our patent-pending Zero Trust Email feature leverages email AI to confirm an email’s legitimacy, while ExecProtect quickly intercepts display name spoofing attempts.