30K patients impacted by Ransomware Attack in Maryland hospital
In today’s world, data breaches and cyber-attacks are becoming more common, particularly in the healthcare sector. Unfortunately, three separate incidents have recently occurred affecting thousands of patients across the United States.
Atlantic General Hospital in Maryland recently notified 30,704 patients of a ransomware attack that potentially compromised their protected health information. The attack occurred in late January and led to network outages at the hospital. The hospital initiated an inquiry with the assistance of a third-party computer forensics firm to ascertain the scope and characteristics of the incident.
The investigation revealed unauthorized access to specific servers and files, which contained sensitive information such as name, Social Security number, financial account information, medical record number, treating/referring physician, and health insurance information. The hospital offers 12-month credit monitoring and identity protection services and has recommended patients to constantly check account statements and credit reports for any suspicious activity or inaccuracies.
Another data breach occurred in California, where a mailing error potentially affected up to 6,460 members of Medi-Cal, exposing their PHI. The California Department of Health Care Services (DHCS) found that a mailing error involving subcontractor Advanced Image Direct (AID) led to confusion of IRS Form 1095-B, which contained personal information belonging to the incorrect recipient.
After discovering the incident, DHCS halted printing and mailing operations and investigated AID to prevent future errors. Upon conducting the investigation, it was determined that approximately 250 records were likely impacted with the potential for a maximum impact on 6,460 records. As a remedial measure, AID will be implementing more rigorous quality controls to prevent such incidents from occurring in the future.
In addition, Health Plan of San Mateo (HPSM) recently notified 11,894 individuals of a data breach within its email environment. It was found that a successful phishing attempt had allowed an unauthorized entity to access a worker’s email account. While there is evidence indicating that the attack aimed to manipulate the employee’s direct deposit details rather than to obtain personal or plan member data, HPSM conducted a thorough examination of all the emails and attachments in the mailbox.
In doing so, they discovered a spreadsheet that contained crucial details such as names, birth dates, member identification numbers and limited information regarding calls made to the nurse advice line. HPSM has implemented additional security measures and provided further training to employees on identifying phishing attempts.
These incidents serve as a reminder of the importance of protecting sensitive information and the need for continued vigilance in the face of evolving cyber threats. Healthcare organizations must prioritize cybersecurity and implement robust measures to safeguard patients’ data. Patients should also remain vigilant of any suspicious activity and take steps to protect their personal information.
Author: Alok Kumar