Malware Attack Hits Boston Children’s Hospital Physician Group
A physician group affiliated with Boston Children’s Hospital is experiencing a system outage caused by malware; email hacks, phishing, and database misconfiguration complete this week’s breach roundup.
By - The Pediatric Physician’s Organization at Children’s (PPOC) is recovering from a large system outage, which is affecting the more than 500 primary care doctors, nurse practitioners, and physician assistants across Massachusetts, first reported by Boston25 News.
PPOC is affiliated with the Boston Children’s Hospital. However, the hospital has not been impacted by the cyberattack, as the PPOC network is separate.
The security incident was first discovered on Monday, February 10. PPOC’s IT team worked quickly to contain the attack and ensure it did not spread to other systems.
Currently, the impacted systems have been quarantined. Some PPOC offices are encouraging patients to postpone scheduled checkups for February 12. Children with mild symptoms should wait before coming into the office, officials said. PPOC is still investigating whether any patient data was exposed during the attack.
Shields Health Solutions Employee Email Hack
Shields Health Solutions is notifying an unspecified number of patients that their data was potentially compromised after an email hack on an employee email account. Shields is a specialty pharmacy solutions vendor for hospitals and other covered entities.
READ MORE: FBI Alerts to Ongoing Targeted Supply-Chain Cyberattacks
Suspicious activity was first discovered on October 24, and steps were taken to immediately secure the account. An investigation determined a hacker gained access to one employee email account between October 22 and 24.
The accounts contained some patient records, including names, dates of birth, medical record numbers, provider names, prescriptions, clinical data, insurer names, and limited claims information.
Shields has since implemented multi-factor authentication on all employee email accounts and taken further steps to enhance its security procedures.
Hospital Sisters Health System Reports August 2019 Breach
Hospital Sisters Health Systems in Wisconsin is notifying 16,167 patients of a potential data breach, after several employee email accounts were hacked in August 2019.
The hack occurred between August 6 and August 9, 2019. Officials said they took action to secure the accounts, including changing account passwords. An investigation into the event concluded on December 2 and determined patient information was potentially accessed by the attackers.
READ MORE: Hackers Increasing Complex Attacks with Hack Tools, Ransomware
The accounts contained patient names, dates of birth, and some clinical information. Health insurance information, Social Security numbers, and or driver’s licenses were compromised for a small number of patients.
The notification did not explain when the hack was first discovered. However, it’s important to note that covered entities are required to report breaches within 60 days of discovery, rather than the conclusion of an investigation.
Sunshine Behavioral Health Group Cloud Misconfiguration
About 3,500 Sunshine Behavioral Health Group patients are being notified that some of their protected health information was left exposed online due to a misconfigured cloud server. Based in California, Sunshine Behavioral provides business services to several healthcare providers.
On September 4, officials said they discovered a cloud-based system used to store some patient records was accidentally configured to allow open access through the internet. The settings were immediately changed and further steps to remove the records from the internet were completed on November 14.
The notification did not explain how long the data was left exposed.
READ MORE: Insider Breach Remediation Costs Health, Pharma $10.81M Annually
The investigation concluded that some personal information of patients and providers who provided payment information for those patients were impacted by the event. The compromised data varied by patient, but could include, names, demographic details, contact information, financial account data, clinical and medical information, health insurance, claims and account data, and electronic signatures.
Social Security numbers were included for a small number of patients.
Phishing Attack on My Health My Resources of Tarrant County
Several employees of My Health My Resources (MHMR) of Tarrant County in Texas fell victim to phishing attacks, which potentially breached the data of 6,524 patients.
The phishing attack was first detected on December 3. An investigation revealed the impacted employee email accounts were first accessed between October 12 and 14. The accounts contained patient names, Social Security numbers, driver’s licenses, and some care information.
Officials could not rule out access. MHMR has since provided its employees with further email security training and enhanced the security of its infrastructure and systems.
Lafayette Regional Rehabilitation Reports July 2019 Email Hack
Indiana-based Lafayette Regional Rehabilitation Hospital detected a hack on an employee email attack in November, which potentially breached the data of 1,360 patients.
The hacker first gained access to the account months earlier in July 2019. An investigation revealed the account contained patient information, such as dates of birth, clinical information, and treatment data from services received at the hospital. Social Security numbers were included for some patients. Officials said they could not rule out access.
The hospital has since reinforced security training with employees and bolstered the security of its email platform.
