Healthcare Ransomware Attack in CA Involves PHI of 57K

September 07, 2021 - San Andreas Regional Center (SARC), a non-profit that provides support and services for those with developmental disabilities, announced that it suffered a ransomware attack that may have exposed the protected health information (PHI) of over 57,000 individuals.

SARC discovered the ransomware attack on July 5, 2021, and concluded its investigation on August 2. The center stated that there is currently no evidence indicating PHI misuse. SARC was able to quickly restore its systems via data backups.

The center sent notifications to impacted individuals on August 27. A few days later, HHS’ Office for Civil Rights (OCR) added the incident to its data breach portal, confirming that the breach impacted 57,244 individuals. Recent research suggests that business associates and outpatient facilities are now prime targets for healthcare data breaches.

The breach included first and last names, birthdates, Social Security numbers, full-face photos, health plan beneficiary numbers, telephone numbers, email addresses, health insurance information, diagnoses, and disability codes.

“The security and privacy of the information contained within our systems is a top priority for us, and we were shocked to learn that we were one of the thousands of victims of this type of cyberattack,” Javier Zaldivar, executive director of SARC, explained in the statement.

“We are fully committed to protecting the information on our systems and sincerely regret the worry caused by this incident. We thank the community, our employees, patients, and partners for their support during this event.”

The notice provided a detailed list of steps that it encourages impacted individuals to take to mitigate further damage and ensure cybersecurity. SARC recommended that patients obtain and monitor their credit reports, request a credit freeze, consider placing a fraud alert on credit reports, and take advantage of free resources to prevent identity theft.

“SARC recommends that individuals enroll in the services provided and follow the recommendations contained within the notification letter to ensure their information is protected,” the statement continued.

“Also, in addition to notifying the FBI, SARC reported the incident to certain regulatory authorities, as required.”

On August 24, California attorney general Rob Bonta released a bulletin urging healthcare providers to comply with state and federal data privacy laws by reporting healthcare data breaches to the California Department of Justice (DOJ).

The bulletin was inspired by multiple unreported healthcare data breaches in California.

Bonta’s office sent the bulletin to top healthcare stakeholders including the California Dental Association, the California Hospital Association, and the California Medical Association. State and federal law requires healthcare entities to report a breach to the DOJ if it impacted more than 500 people.

President Biden recently met with top cybersecurity leaders from Google, Microsoft, and Amazon to discuss new cybersecurity initiatives to prevent ransomware attacks.

As attacks ramp up and cyber criminals claim more victims, federal and state governments are continuing to make cybersecurity a top priority by investing in education and supply chain security initiatives.