Compromised Medical Records, Ransomware Attacks Trouble Healthcare
One California health center’s communication system remains down three weeks after a cyberattack while ransomware and PHI exposure continue to impact healthcare.
Source: Getty Images
By Jill McKeon
- Holiday ransomware attacks, compromised medical records, and network outages continue to overwhelm healthcare organizations.
Despite an increase in cyber threats, recent research suggested that 42 percent of healthcare organizations still do not have incident response plans to prepare for the highly likely event of a cyber incident.
Systems offline for 3 weeks due to medical center cyberattack
California-based Community Health Centers (CMC) began notifying 656,047 patients about a cyberattack that forced its communication systems offline for three weeks and counting. According to a statement on its website, CMC discovered the breach on October 10 and shut down its communication systems immediately.
An investigation revealed that an unauthorized actor had accessed CMC’s systems and potentially compromised patient names, addresses, Social Security numbers, demographic information, medical information, and birth dates.
“Upon detecting this incident, we moved quickly to initiate a response, which included conducting an investigation with the assistance of cybersecurity experts, confirming the security of our network environment, and notifying law enforcement,” the letter to patients stated.
READ MORE: FIN12 Ransomware: Why It’s a Healthcare Threat, How to Prevent an Attack
“CMC has also reviewed and altered our policies and procedures relating to the security of our systems and servers, and reviewed and altered how we manage data within our network.”
CMC’s website states that its communications are still down, but clinic sites remain open during regular hours.
Cancer center faces cyberattack over Labor Day weekend
Las Vegas Cancer Center (LVCC) began notifying patients of a cyberattack that occurred over Labor Day weekend, according to the Las Vegas Review-Journal. The cancer center said that hackers had accessed a business server and encrypted data over the long weekend, and the incident was not discovered until the office reopened on September 7.
“LVCC immediately notified law enforcement and fully participated in an investigation by the FBI, and conducted its own internal investigation,” the organization said in a press release.
“LVCC also notified its electronic medical records vendor, which relies on the server data to build LVCC’s patient records database.”
READ MORE: Cybersecurity Workforce Must Grow 65% to Protect Critical Assets
The breach may have impacted patient names, Social Security numbers, medical records, birth dates, and insurance information.
“All patient data was stored on the server in a format proprietary to LVCC’s electronic medical records system, and therefore likely not usable to the hackers,” the center continued.
“LVCC does not believe that any data was copied or transferred from its server, and has received no ransom demand from the hackers to unlock the data.”
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) released a ransomware awareness alert in late August warning organizations of an uptick in ransomware attacks on holidays and weekends.
Box of medical records with unsecured PHI sent to the wrong address
A man from Gastonia, North Carolina was accidentally mailed a box of medical records containing birth dates, names, Social Security numbers, and protected health information (PHI), according to local ABC affiliate WSOC-TV.
READ MORE: The Importance of Third-Party Risk Assessments in Healthcare
The return label on the box said that the package was sent from Concentra, a national occupational health provider. The box was addressed to Workpartners at the University of Pittsburgh Medical Center (UPMC), but it also had another label with no name that listed the address of North Carolina resident Blake Drumm.
“That shouldn’t be public, plain and simple, so I just wanted to get to the bottom of it. Make sure that we’re doing the right thing,” Drumm told WSOC-TV, the station that he contacted when he received the records.
A WSOC-TV reporter contacted Concentra and the US Postal Service in an attempt to figure out why the package was delivered to Drumm. The box included hundreds of records containing diagnoses, addresses, and other identifiable information. It is unclear at this time whether the other parties have begun notifying impacted individuals of the improper handling of their medical records.
Seattle community health center faces data breach
Sea Mar Community Health Centers announced that it suffered a data breach that impacted an unknown number of current and former patients. The health center, which treats underserved communities in the state of Washington, began notifying impacted individuals in late October.
The center noticed on June 24 that an unauthorized actor had copied data from its network and immediately engaged cybersecurity experts. Further investigation revealed that additional data may have been copied between December 2020 and March 2021.
Some patient names, addresses, Social Security numbers, birth dates, medical, vision, and dental treatment information, insurance information, and images associated with dental treatment may have been involved in the incident.
Sea Mar said it was not aware of any misuse of protected health information as a result of this incident. However, the health center will provide complimentary credit monitoring and identity theft protection services to impacted individuals.
