- East Central Kansas Area Agency on Aging (ECKAAA) said in an online statement that it was the victim of a ransomware attack on September 5, 2017, leaving files encrypted and inaccessible.
ECKAAA said it immediately hired a cybersecurity company to investigate the incident, and learned that a variant of the Crysis/Dharma ransomware had affected the facility.
“The ransomware only affected portions of ECKAAA’s server; not every file stored on the server was encrypted,” the statement read. “Although not every file was encrypted, the ransomware perpetrators would have had access to every file stored on the attacked server. Based on its investigation, the company does not believe any data was removed from ECKAAA’s servers.”
The impacted files contained names, addresses, and telephone numbers. They also may have contained names, addresses, telephone numbers, dates of birth, Social Security numbers and/or Medicaid numbers.
ECKAAA said it did have data backups in place, which allowed the organization to restore the data and continue to provide patient services.
The organization added it has increased its security monitoring to help strengthen its overall cybersecurity program.
“ECKAAA has also provided education to its workforce regarding ransomware, including, but not limited to, the importance of using robust passwords,” ECKAAA continued. “All passwords were changed following the ransomware incident. ECKAAA also intends to update its cybersecurity policies and procedures as necessary to prevent similar incidents in the future. As of October 30, 2017, no malicious activity has been detected.”
There were 8,750 individuals possibly affected by this incident, according to the OCR data breach reporting tool.
Patient data security impacted with bag found on IN road
Indiana University Health (IU Health) recently announced that a misplaced bag could potentially impact patient data security.
The facility said it discovered on September 26, 2017 that a bag containing billing paperwork with patient information was found at an intersection in Muncie, Indiana.
IU Health added that only individuals who had procedures at IU Health Ball Memorial Hospital and surrounding facilities between July 9, 2012 and April 25, 2017 potentially had their information involved.
The billing data may have contained patient names, physicians’ names, dates of birth, genders, medical record numbers, dates and times of service, diagnoses, and procedures. Medical records, financial information, and Social Security numbers were not affected.
“We are taking steps to review policies and procedures to minimize the chance of such an incident occurring in the future,” IU Health said in its online statement. “In addition, IU Health has mandatory privacy and security training for all of its workforce members.”
Approximately 1,399 patients may have been affected, according to The Star Press. IU Health Chief Privacy Officer, Vice President, and general counsel Michelle Altobella told the news source that the records were found in a plastic bag that was being transported to the hospital "for proper disposal."
Altobella added that it is believed that all paperwork was recovered and secured.
IU Health explained that there is no reason to believe that any of the information was improperly accessed or used.
Phony websites may have contributed to FL data breach
The Recovery Institute of the South East, P.A. (RISE Therapeutic Services) recently announced on its website that it was the victim of a cyber attack that led to a HIPAA data breach.
Certain individuals may have been contacted after April 4, 2016 by websites that were claiming to be connected to RISE, the Florida-based organization said. However, the GoDaddy account being used was done so without the knowledge or consent of RISE.
“As of now we know that it was used to redirect any contact through the website, email, and also the phone number,” RISE stated. “Through Psychology Today it was confirmed that approximately 200 plus calls and 75 plus emails through their site were rerouted to an unauthorized individual who has yet to be identified.”
The following emails were compromised:
RISE did not specify what information may have been compromised, but said that “personal health information” was involved. It also explained that it received confirmation of the data breach on October 18, 2017 when it was notified by OCR that a complaint RISE filed was a HIPAA violation.
The OCR data breach reporting tool states that 689 individuals may have been impacted. OCR also showed that the breached information was located on “desktop computer, electronic medical record, email, laptop, network server, other, other portable electronic device, paper/films.”
RISE said it has secured all accounts that were known to be compromised and changed its contact information “to ensure all PHI would be secure moving forward.” The organization has also hired third parties to remain HIPAA compliant and prevent similar incidents from happening in the future.
Hospital reports employees accessed patient data without authorization
Kentucky-based T.J. Samson Community Hospital reported that some patient records were accessed by employees who did not have authorization to do so.
An internal audit on August 25, 2017 revealed that two employees at an independent healthcare provider that provides care for hospital patients accessed patient records for T.J. Samson Community Hospital and T.J. Health Columbia outside of their normal job functions.
The access took place between January and August 2017. Information involved varied by patient, but likely included demographic and medical information. Insurance plan information and Social Security numbers may have been included in some cases.
OCR reported that 683 individuals may have been impacted.
“T.J. Samson has terminated access for the individuals in question and is taking additional steps to prevent similar unauthorized access from occurring in the future, including reviewing its access procedures for independent health care providers,” the organization stated.
There is no indication that any of the data was inappropriately used or disclosed, T.J. Samson added.
“Although independent health care providers have a need for information about treatment they provide to patients in the hospital, T.J. Samson notified patients where they could not determine that the patient received care from the independent provider or identify an alternative business reason for the access to the patient’s information.”
Patient information left unsecured on organization’s website
Lifestyle Therapy and Coaching (LTC) said in an online statement that an electronic form used to search LTC client contact information was inadvertently left unsecured and viewable on the organization’s website.
The information was left unsecured on or about June 16, 2017 but LTC said it discovered the issue on August 13, 2017. LTC identified and secured the online form the very next day.
“LTC took steps to address this incident promptly after it was discovered, including removing the form from its website and undertaking an internal investigation of the matter,” the statement explained. “LTC is also in the process of reviewing its internal policies and data management protocols and has implemented enhanced security measures to help prevent this type of incident from recurring in the future.”
Patient first and last names, home addresses, telephone numbers and email addresses may have been viewable online. There is no reason to believe any of the data has been used inappropriately, according to LTC.
The OCR data breach reporting tool lists 550 individuals as having been possibly affected.