- On February 21, 2017, an unauthorized individual accessed an employee email account containing PHI at Hill Country Memorial Hospital in Fredericksburg, Texas. Hill Country stated the email hack appears to be the result of intentional criminal activity.
The hacked employee email account contained patient names, dates of birth, Social Security numbers, addresses, patient identification numbers, prescription information, and diagnosis information. The OCR data breach reporting tool states that 8,449 individuals were possibly affected in the incident.
Upon discovering evidence of misconduct, the hospital immediately notified law enforcement of the issue and secured the accessed email account.
Hill Country is also implementing additional security measures in an effort to mitigate further issues.
Law enforcement stated the individual involved in the breach accessed the email account to submit fraudulent invoices to the hospital’s accounts payable department for financial gain.
Hill Country officials cannot confirm which emails were accessed during the incident or whether any personal information was misused in any way.
Hill Country sent advisory notices to all potentially impacted individuals and offered a year of free credit protection services to any patients concerned about the safety of their information.
“We take patient privacy seriously, and are very sorry for any concern or inconvenience this incident has caused or may cause to anyone who has been affected,” said Chief Executive Officer Jayne Pope.
To date, the investigation into the incident is still ongoing.
Clinton County ransomware attack impacts over 1K patients
On March 16, 2017, the Clinton County Board of Developmental Disabilities detected a ransomware attack on its server potentially affecting patient PHI.
Possibly accessed information included patient names, addresses, dates of birth, Social Security numbers, treatment plans, and medical histories. The OCR data breach reporting tool reported that 1,243 individuals may have had their information exposed.
Clinton County enlisted the help of a forensics company to conduct an investigation into the incident and removed the ransomware from the server without paying any ransom to the hackers.
The health organization stated the data has been restored and there exists no evidence to suggest any PHI was extracted from the server or misused as a result of the incident.
On May 4, 2017, Clinton County informed all potentially impacted patients of the incident and began reviewing and enhancing the security measures in place in its computer network.
Additionally, the health organization is training all employees on increasing awareness surrounding cybersecurity threats and is offering a year of free identity protection for patients concerned about the safety of their information.
Texas health senior living community suffers ransomware attack
On March 13, 2017, Walnut Place officials discovered some of its systems had been infected with ransomware.
The senior living community launched an investigation into the incident and determined the ransomware attack occurred around January 25, 2017 and had been removed less than a month later.
Walnut Place hired a third-party forensic investigation team to determine the extent of the damage and to assess the security of the organization’s computer systems.
Walnut Place is enhancing the security of its systems to prevent similar incidents from occurring in the future.
To date, the organization stated there exists no evidence suggesting any sensitive patient information has been extracted or misused from the affected systems.
The affected systems contained patient and resident information including names, Social Security numbers, driver’s license numbers, dates of birth, addresses, telephone numbers, medical record numbers, health insurance information, and diagnostic information.
Potentially impacted patients have been notified of the incident and have been offered a year of free credit monitoring services.
Additionally, Walnut Place has set up a call center to provide concerned patients with further information regarding the incident and how to protect sensitive information.
Walnut Place did not reveal how many individuals were potentially impacted by the incident.
Rutland Regional Medical Center exposes patient email addresses
On May 11, Rutland Regional Medical Center sent an email to over 700 patients in which the addresses for all patients were visible to other recipients, according to the Burlington Free Press.
The email contained an electronic patient survey regarding ways the hospital could improve patient discharge paperwork.
"They have no right to tell anybody else that I was even a patient there," Wallace Nolen, a Rutland resident whose email was revealed in the incident, told the news source.
At this time, the hospital is still investigating the incident. However, the only information exposed during the incident were patient email addresses.
Rutland Regional Medical Center informed affected patients of the incident, apologized for the privacy breach, and terminated the email survey.