Hypertension-Nephrology Associates Warn Patients of Data Theft Incident
Hypertension-Nephrology Associates in Michigan has recently announced that it was the target of a cyberattack in January 2024. An unknown threat actor dropped a ransom note on its computer system demanding payment to prevent the publication of patient data that was stolen in the attack.
The healthcare industry continues to be targeted by ransomware gangs that steal data and encrypt files, demanding payment for the keys to decrypt files and to prevent the release of stolen data; however, many threat actors skip file encryption and conduct extortion-only attacks, as was the case in the attack on Hypertension-Nephrology Associates. After discovering the ransom note, an investigation was launched to verify the threat actor’s claims. Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that the threat actor had access to its systems between January 20, 2024, and February 6, 2024. During that time, files containing patients’ protected health information were exfiltrated from its systems.
A comprehensive review was conducted of the compromised part of the network; however, the extent to which patient data had been viewed or stolen could not be determined. Hypertension-Nephrology Associates is therefore working on the assumption that all protected health information stored on the network has been compromised. That information includes names, dates of birth, diagnosis and treatment information, Social Security numbers, and health insurance identification numbers.
The practice engaged third-party security experts and external counsel on HIPAA compliance and has implemented additional security measures to prevent similar incidents in the future. The affected patients are now being notified and complimentary credit monitoring services have been offered to all patients. The incident has been reported to the HHS’ Office for Civil Rights as affecting 39,491 patients.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Former Allina Health Employee Improperly Accessed Records of 715 Patients
Minneapolis, MN-based Allina Health System has discovered that certain patients’ health records have been improperly accessed by a former employee. The unauthorized access came to light in January 2024, prompting a comprehensive review of access logs to determine which patient records had been improperly viewed. In March 2024, the review was completed, and it was confirmed that the health records of 715 patients had been accessed without authorization. Data potentially viewed included names, addresses, photo IDs, insurance information, limited clinical information, and the last 4 digits of Social Security numbers. Allina Health said the former employee has not worked for Allina Health since 2022. All affected patients were notified and offered 2 years of complimentary identity theft and credit monitoring services. Employees have been re-educated on HIPAA and internal policies.
