Bryan County Ambulance Authority in Oklahoma Faces Ransomware, 14K Impacted

May 25, 2022 - Bryan County Ambulance Authority in Oklahoma began notifying patients of a ransomware attack it experienced in November 2021. According to the Office for Civil Rights (OCR) data breach portal, the incident impacted 14,273 individuals.

The HIPAA Breach Notification Rule requires covered entities to report healthcare data breaches within 60 days of discovery. However, Bryan County Ambulance Authority submitted the breach to OCR and began notifying patients on May 18.

The ambulance authority said it discovered a ransomware infection in November that began encrypting files stored on its network. It immediately disabled unauthorized access, restored encrypted data, and began an investigation.

By April 7, Bryan County Ambulance Authority determined that a threat actor had removed some files containing personal information from the network. The type of information involved in the breach was redacted from the copy of the breach notification letter posted online by the Montana Attorney General’s Office.  

The letter said that there was no evidence that any information had been misused, but impacted individuals received complimentary identity theft protection services.

“Please accept our apologies that this incident occurred. We remain fully committed to maintaining the privacy of personal information in our possession and have taken many precautions to safeguard it,” the letter stated.

“We continually evaluate and modify our practices to enhance the security and privacy of your personal information.”

Washington University School of Medicine Faces Unauthorized Email Access

Washington University School of Medicine disclosed a security incident that impacted the “confidentiality and security of our patients’ and research participants’ information,” a notice on its website stated. It is unclear how many individuals were involved in the incident.

On March 24, the university confirmed that an unauthorized individual had gained access to certain employee email accounts between March 4 and March 28. Washington University School of Medicine immediately secured the accounts and called upon a computer forensic firm to investigate.

The investigators could not determine whether the unauthorized individual viewed any emails or attachments. The accounts contained patients’ and research participants’ names, birth dates, medical record or patient account numbers, addresses, diagnoses, provider names, dates of service, and some health insurance information and Social Security numbers.

“This incident did not affect all School of Medicine patients/research participants, but only those whose information was included in the affected email accounts,” the notice assured.

“We regret any concern or inconvenience this incident may cause. We remain committed to protecting the confidentiality and security of our patients’ and research participants’ information. To help prevent something like this from happening in the future, we have reinforced education with our staff regarding how to identify and avoid suspicious emails and are making additional security enhancements to our email environment.”

Motion Picture Industry Health Plan Mailing Error Affects Nearly 17K

The Motion Picture Industry Health Plan (MPIHP) began notifying 16,838 individuals of a mailing error that resulted in the protected information of some participants being mailed to other participants.

“The Motion Picture Industry Pension and Health Plans are trust funds established by collective bargaining agreements between many of the unions and employers in the motion picture production industry,” the organization’s website states.

On April 4, MPIHP discovered that it mistakenly sent PHI to the wrong individuals via the United States Postal Service on March 31. The mailings contained names, addresses, last four digits of Social Security numbers, hours worked, and dates of health plan eligibility. No medical or claim information was involved in the incident.

MPIHP notified impacted individuals by mail on April 28 and via their MPIHP online mailboxes.

“We apologize for this occurrence. MPIHP takes this matter very seriously and is working continuously to assure the privacy of personal information,” the notice stated.