Ambulances Diverted After Westchester Medical Center Health Network Cyberattack
Westchester Medical Center Health Network (WMCHealth) has experienced a cyberattack that affected its information technology systems. The attack was detected last week, and at 10 p.m. on Friday, October 20, 2023, the decision was taken to shut down all connected IT systems. The downtime was expected to last for 24 hours, and systems were brought back online on a rolling basis over the weekend. All systems were restored by Monday, October 24.
Without access to essential IT systems, the decision was taken to divert ambulances at HealthAlliance of the Hudson Valley facilities, including HealthAlliance Hospital in Kingston, Margaretville Hospital in Margaretville, and the skilled nursing facility, Mountainside Residential Care Center in Margaretville. The diversion ended on Saturday night and the hospitals resumed patient admissions, although stroke patients are still being taken to alternative facilities.
WMCHealth said the New York State Department of Health and Ulster and Delaware County officials were notified about the attack and it has been working with law enforcement, including the FBI, and has engaged a third-party cybersecurity firm to assist with the investigation. The first priority was ensuring patient safety, which is why ambulances were diverted. The hospitals remained open throughout and continued to accept walk-in patients, who were assessed, treated, and released, or transferred to alternative WMCHealth facilities.
Update December 14, 2023
At the time of the initial announcement about the cyberattack, it was unclear to what extent, if any, patient data was involved. It has now been confirmed that hackers had access to its network between August 18, 2023, and Oct. 13, 2023, and during that time, the threat actor accessed and acquired certain files from its network. It is still unclear exactly how many individuals have been affected, but it has now been confirmed that the following types of information were either exposed or stolen: names, addresses, dates of birth, Social Security numbers, diagnoses, lab results, medications, and other treatment information, health insurance information, provider names, dates of treatment, and/or financial information. Complimentary credit monitoring services and identity theft protection services have been offered to patients whose Social Security numbers were exposed.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
PHI Compromised in Cyberattack on Fellowship Village
Fellowship Village, a retirement community in Bernards Township, NJ, has recently announced a security breach that was detected on or around August 9, 2023. The forensic investigation confirmed that there had been unauthorized access to its network between July 27, 2023, and August 9, 2023, during which time files containing sensitive information may have been accessed and exfiltrated.
The review of the affected files is ongoing, but it has been confirmed that protected health information may have been compromised. The information involved includes a combination of names, addresses, Social Security numbers, patient identification numbers, medical record numbers, medical information, treatment information, diagnosis information, health insurance information, driver’s license/state identification numbers, financial account information, and dates of birth.
Policies and procedures are being reviewed and security will be enhanced to prevent further data breaches. To meet HIPAA breach reporting requirements, the HHS’ Office for Civil Rights has been notified and told at least 501 individuals were affected. The total will be updated when the full scale of the breach is determined.
Hackers Gained Access to PHI of BHI Energy Health Plan Members
BHI Energy, a Weymouth, MA-based provider of project management and staffing support to the nuclear, fossil, wind, hydro, and government energy markets, has discovered an unauthorized third party gained access to certain systems within its network. The breach was detected on or around June 29, 2023, and the subsequent investigation confirmed on September 1, 2023, that business records had been accessed, some of which contained individuals’ personally identifiable information (PII).
In total, the PII of 91,269 individuals was potentially compromised, including the 4,049 members of its health plan. The compromised data included first, middle, and last name, address, date of birth, and Social Security number, and potentially health information. Affected individuals have been offered complimentary credit monitoring and identity theft protection services. Additional security measures have been implemented to improve data security and prevent similar breaches in the future.
MOVEit Transfer Hacking Victims
NASCO
NASCO, an Atlanta, GA-based provider of benefits administration services to health plans, has confirmed that it was affected by the mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution, which was used to transfer files to its health plan clients. The vulnerability was exploited on May 30, 2023, the day before Progress Software released the patch to fix the flaw. NASCO said it learned that it had been affected on July 12, 2023. While no misuse of the stolen data has been detected, notification letters have been issued. The breach was reported to the Maine Attorney General as affecting 804,862 individuals; however, based on the beach report submitted to OCR, the protected health information of 2,956 was compromised. The lower total may be due to health plan clients choosing to report the breach themselves. NASCo says affected individuals have been offered complimentary credit monitoring and identity theft protection services for up to 24 months. The breached information included names and Social Security numbers.
Meadville Medical Center
Meadville Medical Center in Pennsylvania has confirmed that it was affected by the MOVEit Transfer hacks. The file transfer solution was used by Westat Inc., which provided data collection and management services as part of the National Hospital Care Survey (NHCS). The breach was detected on May 30, 2023, and involved the protected health information of approximately 1,300 patients. Westat has offered the affected individuals 12/24 months of complimentary credit monitoring services.
Cape Fear Valley Health
Cape Fear Valley Health in Fayetteville, NC, was also affected by the MOVEit Transfer hack at Westat. Files were copied that included the protected health information of 1,943 patients, most of whom had been treated between February 2023 and May 2023. The stolen data included names, addresses, dates of birth, and diagnoses. Affected individuals have been offered 12/24 months of complimentary credit monitoring services.
