- Arkansas Oral & Facial Surgery Center recently announced on its website that it experienced a ransomware attack on its computer network on July 26, 2017.
An investigation determined that the ransomware had been installed either earlier that morning or the evening before. The organization added that extortion was likely the reason for the attack, and not an attempt to gain patient information.
A limited set of patient information was likely affected, the center explained. Additionally, imaging files, such as x-rays, and other documents (i.e. attachments, radiographs) were impacted.
The OCR data breach reporting tool states that 128,000 individuals were possibly impacted.
The attachments and radiographs might include demographic information such as patient names, addresses, dates of birth, and Social Security numbers. Clinical information such as diagnoses, treatment plans or conditions and other information such as health insurance information were also likely included.
“While our investigation into the matter continues, it does not appear that patient information was stolen from our system,” the statement explained. “However, the ransomware has rendered the imaging files and documents inaccessible. Based on our present investigation, it also appears that the ransomware rendered all electronic patient data inaccessible pertaining to visits within approximately three weeks prior to the incident.”
The center said it has implemented a new record system and will also be offering patients 12 months of identity repair and credit monitoring services. Arkansas Oral & Facial Surgery Center added that patients should “exercise caution regarding communications if you receive an unsolicited call or email” about the incident.
“Please know that we will not call or email anyone requesting any personal information as a result of this situation,” the center concluded.
Phishing attack exposes company emails, certain patient data
Wisconsin-based Network Health recently had two staff members fall victim to a phishing attack, which exposed their company emails. From there, certain patient information may have been exposed, according to a company statement.
While credit card and financial information were not involved and Network Health has no reason to believe the information was misused, it still brought in a forensic expert to determine the impact’s extent.
Approximately 51,000 individuals may have had their information accessed, the organization said. This data may include member names and IDs, provider information, addresses, phone numbers and dates of birth.
Additionally, claims information and Health Insurance Claim Numbers may have been exposed in a few limited cases. Affected individuals will be offered one year of free identity theft protection and monitoring services.
“We take the security and sensitive information of our members very seriously,” Network Health Chief Administrative Officer Penny Ransom said in a statement. “As a result of this attack, steps are underway to further improve the security of operations and prevent future incidents.”
This includes reeducating the entire organization on how “to recognize and report these more sophisticated phishing attempts,” the Network Health announcement read. The entity added it is reviewing all security processes and procedures.
“Network Health maintains technical safeguards to protect against phishing incidents and detect intrusions,” Network Health maintained. “There are safeguards in place to ensure the privacy and security of all member information.”
OK data security incident stemmed from employee theft
Mercy Health Love County Hospital and Clinic reported that a former employee stole a laptop and a small number of patient records from a hospital storage unit, creating a data security incident affecting 10 patients.
The Oklahoma facility stated that the information gathered, including patient names and Social Security numbers, was used to fraudulently obtain credit cards.
“We are very upset that this occurred, as we take the privacy and security of our patient information very seriously,” Mercy Health Love County Hospital and Clinic Administrator Richard Barker said in a statement. “We are taking steps to secure all patient information to prevent anything similar from happening again, and we will do all we can to see that the criminals are held accountable.”
This incident was first reported in July 2017, with KXII Fox News 12 stating that the suspected thief was Lane Miller. Miller had worked as a licensed practical nurse for Mercy Health until the beginning of 2017, the news station said.
While Mercy Health reported that only 10 individuals had their information impacted, the OCR data breach reporting tool lists an incident stemming from a theft of “paper/films” at Mercy Health affecting 13,004 individuals. The breach submission date listed is September 20, 2017.
Stolen laptop leads to VA medical center PHI data breach
Spokane, Washington-based Mann-Grandstaff VA Medical Center (MGVAMC) stated that the PHI of 3,275 veterans may have been exposed in a recent data breach.
A vendor-issued laptop was reported missing on August 7, 2017 during an equipment inventory, according to a press release. The device was used to interface with a Laboratory hematology analyzer and was in operation between April 2013 and May 2016.
Information that may have been compromised includes full names, dates of birth, and Social Security numbers. Veterans who may have had a hematology sample processed at the Mann-Grandstaff VA by the missing analyzer in the April 2013 and May 2016 timeframe will receive a data breach notification. If necessary, those individuals will also be offered one complimentary year of credit monitoring services.
“We at VA take information security very seriously and will continue to work to ensure that appropriate safeguards are in place to protect Veterans’ information,” the statement read. “Leadership at Mann-Grandstaff VAMC has developed a new media sanitization policy to prevent this from happening in the future.”