6 Healthcare Providers and Business Associates Report Hacks and Ransomware Attacks

Share this article on:

A round-up of 6 cyberattacks that have recently been reported by healthcare providers and business associates that resulted in the exposure and possible theft of patients’ protected health information.

Duncan Regional Hospital

Duncan Regional Hospital in Oklahoma has announced that hackers gained access to its systems and potentially exfiltrated sensitive patient and employee information. The breach was detected on January 20, 2022, and immediate action was taken to secure its systems, and an independent computer forensics company was engaged to conduct a forensic investigation to determine the nature and scope of the breach.

A review of the files on the affected parts of its system confirmed they contained patient information such as name, date of birth, Social Security number, limited treatment information, and medical appointment information such as date of service and name of providers. Employee data potentially accessed in the attack included personal information associated with W-2s, such as name, date of birth, address, and Social Security number.

Duncan Regional Hospital said it performed a full password reset, tightened firewall restrictions, and implemented endpoint threat detection and response monitoring software on workstations and servers. Affected individuals have now been notified and have been offered complimentary credit monitoring and identity theft protection services.

The breach was reported to the Maine attorney general as affecting 92,398 individuals.

Bako Diagnostics

Bako Diagnostics (BakoDx), a Georgia-based provider of laboratory services to healthcare providers, has announced it was the victim of a cyberattack that was discovered on December 28, 2021.

BakoDx said the investigation into the cyberattack is ongoing, but it has been confirmed that hackers gained access to its network and removed data between December 21, 2021, and December 28, 2021. The files exfiltrated from its systems included the protected health information of patients. In addition to names, one or more of the following data types may have been compromised: date of birth, address, telephone number, email address, health insurance information, medical record number, date(s) of service, provider and facility names, specimen/test information, billing and claims information, and financial account information.

BakoDx said it has enhanced its security and monitoring capabilities and has hardened the security of its systems to prevent further cyberattacks. Individuals whose Social Security number, driver’s license, state identification number, or financial account information may have been involved have been offered complimentary credit monitoring services.

The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 25,745 individuals.

Alliance Physical Therapy Group

Alliance Physical Therapy Group in Grand Rapids (APTG), MI, said it discovered unauthorized individuals had gained access to certain systems within its network on December 27, 2021. Assisted by a third-party cybersecurity firm, APTG determined on January 7, 2022, that files containing the protected health information of 14,970 patients may have been exfiltrated from its network between December 23, 2021, and December 28, 2021.

A review of those files confirmed they contained patient names, dates of birth, Social Security numbers, driver’s license numbers, medical information, and health insurance information.

APTG said it is reviewing its cybersecurity policies and procedures and will implement additional measures and safeguards to prevent further cyberattacks. APTG found no evidence of misuse of patient data but has offered affected individuals 12 months of complimentary credit monitoring and identity restoration services. Notification letters were sent on January 28, 2022.

DataHealth

The Austin, TX-based cloud hosting and data storage company DataHEALTH has announced it was the victim of a ransomware attack on November 3, 2021. Prompt action was taken to contain the incident and a third-party cybersecurity firm was engaged to investigate the incident.

DataHEALTH said it learned on December 30, 2021, that the attackers obtained data from its servers through third-party software used by some of its healthcare provider clients, which included patients’ protected health information. DataHEALTH said it worked with the third-party software provider to update credentials for all customers that use the software and additional security protocols have been implemented to enhance the security of its network.

While sensitive information was stolen, DataHEALTH said it found no evidence to suggest any of that information has been misused; however, as a precaution, affected individuals have been offered complimentary credit monitoring and identity theft protection services and will be protected by a $1 million identity theft insurance policy.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

JDC Healthcare Management

Dallas, TX-based JDC Healthcare Management, also known as Jefferson Dental & Orthodontics, has recently announced that malware was discovered on certain company systems which allowed unauthorized individuals to access and potentially exfiltrate sensitive patient information.

The malware was detected on or around August 9, 2021, with the investigation confirming the malware was downloaded onto its systems on July 27, 2021.  The malware was removed and unauthorized access to its systems was prevented on August 16, 2021.

JDC Healthcare Management performed a comprehensive review of all files on its systems that may have been compromised and confirmed they included patient names, Social Security numbers, passport numbers, driver’s license numbers, state identification numbers, dates of birth, clinical information, health insurance information, and financial information.

The review was completed on January 10, 2022, and notification letters were sent to affected individuals, who have been offered complimentary credit monitoring and identity theft protection services.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Update: The breach has affected more than 1 million Texans. An update is provided here.

Dr. Douglas C. Morrow

Auburn, Indiana-based Dr. Douglas C. Morrow has recently announced that hackers gained access to his IT systems and used ransomware to encrypt data. The incident occurred on May 16, 2021, and a digital forensics firm was engaged to investigate the scope of the incident. The investigation confirmed on October 29, 2021, that the attackers had access to IT systems that contained patient data and that files containing patients’ protected health information may have been exfiltrated prior to file encryption.

A review of those files was completed on December 8, 2021, and confirmed the following types of information may have been stolen:  names, addresses, Social Security numbers, driver’s license numbers, health insurance information, Member/Medicaid ID numbers, treatment/diagnosis information, dates of service, provider name(s), patient account number(s), and medical record number(s). Dr. Douglas C. Morrow said notification letters were sent to affected individuals on February 23, 2022.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On