Hospital system's cardiac cath lab computers hacked

A Cleveland-based hospital system said hackers had used malware to obtain personal information on 981 patients over an eight-month period, although there is no evidence the information was misused.

The MetroHealth System said in a statement last week that it had discovered malware on three computers in its cardiovascular lab that appears to have infiltrated these computers during the period between July 14 and July 29, 2014. The computers’ data included medical information on 981 patients who had cardiac catheterizations between July 14, 2014, and March 21, 2015.

The system said an investigation revealed that one of MetroHealth’s business associates updated software systems used on these computers during the five-day period in July, at which time the antivirus protection in them was disabled to facilitate the updates.

As a result, the malware was able to infect these computers, MetroHealth said. It was removed on March 18, 2015, the company said in its statement, adding that the malware had created a “back door” for potential subsequent access to those computers.

The system said there is no evidence of any subsequent access and that the back door component of the malware was successfully purged from the computers on March 21.

MetroHealth said there is no evidence the information obtained had been accessed or used.

The information accessed included patient date of birth, height, weight, medications and data related to the catheterization, among other information, the hospital system said.

MetroHealth said measures it has taken in response to the hacking include increased monitoring of computers for malware. The system said it is informing patients affected by the intrusion, in accordance with federal law.

A system spokeswoman could not immediately provide information on any insurance coverage.