HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Ascend Clinical and Alamance Skin Center Suffer Ransomware Attacks

Redwood City, CA-based Ascend Clinical, a provider of ESRD laboratory testing for independent dialysis providers, has announced it suffered a phishing attack that led to a ransomware attack in May 2020.

Unusual system activity and file encryption were detected on or around May 31, 2020. Prompt action was taken to isolate the affected systems and an investigation was launched to determine the nature and scope of the incident. Assisted by a third-party security firm, Ascend Clinical determined access to its systems was gained when an employee responded to a phishing email.

Prior to the use of ransomware, the attackers accessed files that contained names, dates of birth, mailing addresses, and Social Security numbers. Steps have since been taken to strengthen its email security defenses to prevent similar attacks in the future.

The breach report submitted to the HHS’ Office for Civil Rights indicates 77,443 individuals were affected by the incident.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Alamance Skin Center Suffers Ransomware Attack

The Greensboro-based health system, Cone Health, has suffered a ransomware attack that affected the Alamance Skin Center in Burlington, NC.

The ransomware attack was limited to the single practice and occurred in late July 2020 and is believed to have started with a phishing attack or brute force attempt to obtain credentials. Prompt action was taken to isolate the impacted systems and third-party computer forensics experts were retained to assess the scope of the breach. The investigation did not find any evidence to suggest patient information was stolen prior to the encryption of files and no reports have been received that indicate patient information has been misused.

However, some patient information was encrypted in the attack and is unrecoverable. Cone Health reports the protected health information affected was limited to patient names, medical record numbers, dates of birth, diagnosis information, addresses, and date(s) of service.

The attack affected the appointments system, which is not accessible. Patients with appointment have been advised to contact the practice to confirm their appointment. Since it was not possible to determine with 100% certainty that patient information was not accessed by the attackers, all affected patients have been advised to be vigilant against incidents of identity theft and fraud.

Alamance Skin Center is reviewing existing policies and procedures and will be implementing additional safeguards to prevent similar incidents in the future.

The breach report submitted to the HHS’ Office for Civil Rights shows up to 100,000 patients were affected. The incident has not been reported as a network server IT incident, as is typical in ransomware attacks, instead it is reported as a loss incident as PHI encrypted in the attack was not recoverable for certain patients.

Perry County Memorial Hospital Discovers Email Security Breach

Perry County Memorial Hospital in Tell City, IN has discovered the email accounts of two employees have been accessed by unauthorized individuals.

An investigation was launched which revealed the accounts were accessed on August 23, 2020. A review of the compromised accounts confirmed they contained private patient data which could have been viewed or obtained by the attackers, although no evidence of data theft was identified.

The information potentially compromised was limited to names, dates of birth, diagnoses/diagnostic codes, internal patient account numbers, provider names, and other health information, along with a limited number of Social Security numbers, Medicare/Medicaid numbers, and health insurance information.

Perry County Memorial Hospital is taking steps to enhance email security to prevent similar breaches in the future. Individuals whose Social Security number was potentially compromised have been offered complimentary membership to identity theft monitoring services.

BryLin Behavioral Health Notifies Patients About Potential PHI Breach

BryLin Behavioral Health System, a provider of mental health and addiction treatment services in Buffalo, NY, is alerting certain patients that some of their protected health information was potentially compromised as a result of a cybersecurity incident that occurred in August 2020.

Unusual network activity was detected by BryLin on August 19, 2020. Immediate action was taken to secure the network and an investigation was launched which revealed its systems had been compromised on August 14, 2020. Unauthorized individuals potentially accessed documents on the compromised systems that contained patient names, dates of birth, addresses, treatment information and/or clinical information and, in some instances, patients’ Social Security numbers and/or health insurance information. The breach only affected data of patients who received medical services at BryLin hospital. Patient information from its outpatient clinic, outpatient substance use, and outpatient mental health care services was not affected.

All patients affected by the breach have now been notified and the 75 patients who had their Social Security number exposed have been offered complimentary credit monitoring services.

It is currently unclear how many individuals have been affected by the breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.