Three healthcare providers in New York, Florida, and Georgia have started notifying patients that some of their protected health information was potentially compromised in recent cyberattacks, two of which involved ransomware and one involving an unspecified computer virus.
Four Winds Hospital, NY
Four Winds Hospital in Katonah, NY, discovered files had been encrypted by ransomware on or around September 1, 2020. The attack prevented the hospital from accessing its computer systems and resulted in downtime of around two weeks while the attack was mitigated.
Upon discovery of the attack, steps were immediately taken to prevent any further unauthorized system access and third-party cybersecurity experts were engaged to help identify the scope of the attack and whether patient data had been compromised.
According to Four Winds Hospital’s substitute breach notice, “[The cybersecurity experts] obtained evidence that the cybercriminals deleted any files in their possession, although that evidence cannot be independently verified.” That suggest a ransom was paid, although that has not been confirmed by Four Winds Hospital.
The attack did not involve the electronic medical record system, cloud environment, email, or encrypted data fields. The investigation revealed password protected files were accessed and patient lists from 1983 to present could potentially have been viewed. Those lists included names and medical record numbers, with around 100 records containing Social Security numbers. Miscellaneous files containing patient data from 2013 to present may also have been accessed. Those files included names, treatment information, and the Social Security numbers of Medicare patients admitted prior to 2019.
The breach has yet to appear on the HHS’ Office for Civil Rights breach portal so it is unclear how many patients have been affected.
Advanced Urgent Care of Florida Keys
Advanced Urgent Care of Florida Keys started issuing notifications to patients on November 6, 2020 about a ransomware attack that occurred on March 1, 2020. While not stated in the breach notice, Databreaches.net previously reported (on March 14, 2020) that patient data was stolen in the attack and was dumped online when the ransom demand was not paid.
According to the Advanced Urgent Care breach notice, an investigation was launched following the attack which took until September 11, 2020 to determine patient data had been compromised. The attack saw files on a backup drive encrypted which contained protected health information including names, dates of birth, health insurance information, medical treatment information, medical diagnostic information, lab results, medical record numbers, Medicare or Medicaid beneficiary numbers, medical billing information, bank account information, credit or debit card information, CHAMPUS ID numbers, Military and/or Veterans Administration numbers, driver’s license numbers, signatures, and Social Security numbers.
Complimentary credit monitoring services have been offered to patients whose Social Security number was compromised and steps have been taken to improve security to prevent further attacks and to identify and remediate future threats.
Galstan & Ward Family and Cosmetic Dentistry, GA
Galstan & Ward Family and Cosmetic Dentistry in Suwanee, GA, has reported a ransom event involving a computer virus on one of its servers. In contrast to ransomware attacks where files are encrypted and a ransom note is placed on infected computers, Galstan & Ward said the practice was contacted by telephone and told that a computer server had been infected with a virus. A ransom was then demanded over the telephone.
Galstan & Ward had previously detected suspicious activity on the server and had arranged for a third-party vendor to wipe the server and restore data from a backup. No ransom was paid, and Galstan & Ward reports no significant disruption to services or data loss. However, on September 11, 2020, Galstan & Ward discovered files had been stolen and published online on a dark web website, although those files did not contain any patient information.
The contracted IT firm confirmed that the malware had been removed and found no evidence to indicate patient information in its dental practice software was accessed. Additional investigations similarly found no evidence to indicate patient data was accessed or acquired.
Notifications were issued to patients out of an abundance of caution since it was not possible to rule out the possibility of unauthorized PHI access. If the attackers accessed the dental software system, they could have viewed names, dates of birth, addresses, Social Security numbers, and dental records.
In its comprehensive substitute breach notice, Galstan & Ward said cryptographic technology is now used to protect patient data and additional data security measures have been implemented on its web server infrastructure. Affected individuals have been offered complimentary identity theft protection services through IDX.
Resource: HipaaJournal