Dedicated to providing the latest
HIPAA compliance news

4-Month Data Breach Discovered During Ransomware Investigation: 300,000 Patients Impacted

Share this article on:

Women’s Health Care Group of Pennsylvania, one of the largest healthcare networks in the state, has alerted approximately 300,000 patients that some of their sensitive protected health information has been compromised.

The types of data exposed – and potentially stolen – include names, addresses, dates of birth, lab test orders, lab test results, blood types, race, gender, pregnancy status, medical record numbers, employer information, insurance details, medical diagnoses, physicians’ names and Social Security numbers.

Identity theft protection services are being offered to all affected patients. Those individuals would do well to activate those services promptly, as hackers gained access to a server and workstation containing the above information in January this year, with access to systems possible until at least May.

In May, a virus was installed on a server/workstation preventing the hospital from accessing patient data. While ransomware can be installed as a result of a phishing email or software vulnerability, in this case it appears to have been deployed by individuals who already had access to its systems. This is not atypical. If hackers manage to gain access to a healthcare network, it is becoming increasingly common for ransomware to be deployed when access to the system is no longer required – Once all useful data have been exfiltrated, for instance.

Women’s Health Care Group of Pennsylvania rapidly isolated the affected devices to prevent the spread of the infection and external cybersecurity experts were called in to conduct a forensic investigation to determine the nature and scope of the security breach. The Federal Bureau of Investigation was also notified.

While a ransom demand had been issued by the attackers, no money was paid as all data could be recovered from a backup. Women’s Health Care Group of Pennsylvania says no protected health information was lost.

The investigation revealed that hackers had first gained access to its systems in January 2017 after taking advantage of a security vulnerability, with the same vulnerability believed to have been used to install ransomware. While Women’s Health Care Group of Pennsylvania did not find any evidence to suggest information on the server or workstation had been viewed or stolen, data access and theft could not be ruled out.

This is the second such incident to be reported in the past few weeks. Earlier this month, Peachtree Neurological Clinic of Atlanta, GA announced that an investigation into a ransomware attack revealed its systems had been compromised 15 months previously.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On