4 More Healthcare Organizations Announce Patients Affected by Recent Ransomware Attacks

In the wake of the ransomware attack on Colonial Pipeline, some ransomware gangs such as REvil and Avaddon claimed that they have implemented new rules that require their affiliates to obtain authorization prior to attacking a target, and that attacks on healthcare organizations had been banned. However, many ransomware-as-a-service operations have not implemented restrictions and healthcare providers are still being targeted. Recently, 4 more healthcare organizations have been confirmed as falling victim to attacks.

San Diego Family Care

San Diego Family Care (SDFC) in California has confirmed it has been affected by a ransomware attack in December 2020. SDFC and its business associate Health Center Partners of Southern California (HCP) were impacted by a ransomware attack on their information technology hosting provider, Netgain Technologies. Netgain Technologies reportedly paid a $2.3 million ransom to obtain the keys to unlock the encrypted files and notified SDFC and HCP on January 20, 2021 that the protected health information of their patients had been compromised.

SDFC and HCP were provided with a copy of the affected data and conducted a review to determine which individuals had been affected and the types of data involved. The review was completed on April 11, 2021 and 125,500 patients are now known to have been affected.

SDFC explained in its substitute breach notice that the following types of data were compromised: Names, Social Security numbers, government identification numbers, financial account numbers, dates of birth, medical diagnosis or treatment information, health insurance information, and/or client identification numbers. Affected individuals were notified by mail on May 7, 2021.

SAC Health Systems

San Bernardino, CA-based SAC Health Systems was also a victim of the ransomware attack on its now former IT service provider, Netgain Technologies. SAC Health Systems was notified by Netgain Technologies on January 15, 2021 that the ransomware gang had access to servers containing patient data between November 15, 2020 and November 22, 2020.

SAC Health Systems confirmed on April 20, 2021 that 28,128 individuals had been affected. The types of data compromised included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, state identification numbers, tax identification numbers, financial account information, medical histories, electronic signatures, health insurance information, medical record numbers, doctor names, prescription information, and reason for absence. All affected individuals are now being notified.

Harper County Community Hospital

Harper County Community Hospital in Oklahoma has announced it suffered a ransomware attack on March 24, 2021 in which the protected health information of 5,725 patients was potentially compromised.

The hospital said patient medical records were not affected, but workstations and common drives were compromised, and they contained files that included first and last names, dates of birth, home addresses, patient account numbers, diagnoses, Social Security numbers, and health insurance information.

Harper County Community Hospital took immediate corrective actions and has implemented extensive IT security protocols, back-up processes, and updated its HIPAA policies and procedures. All affected individuals are now being notified about the attack.

Prestige Medical Group

Georgia-based Internal Medicine Associates of Jasper, PC, dba Prestige Medical Group, has been affected by a ransomware attack that has been reported to the HHS’ Office for Civil Rights as affecting 34,203 patients.

The attack was conducted by the Avaddon ransomware gang, one of the gangs that has since claimed it is stopping attacks by affiliates on the healthcare sector. The attackers claimed they had exfiltrated patient and employee data prior to file encryption and leaked a sample of data stolen in the attack on its leak site, stating that the medical practice was not interested in cooperating. The attackers claimed, “We have data on the diseases of your clients, confidential cards of your clients, various information on your clients, a lot of opinions and reports from doctors, agreements and contracts, financial information, information about employees, personal data of employees.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.