August 2021 Healthcare Data Breach Report
Sep21

August 2021 Healthcare Data Breach Report

There was a 44% month-over-month decrease in the number of reported healthcare data breaches in August 2021. 38 healthcare data breaches of 500 or more records were reported by healthcare providers, health plans, and their business associates in August. August’s reported data breaches takes the total number of healthcare data breaches in the past 12 months to 707 (Sep 2020 to August 2021), with 440 of those data breaches reported in 2021. While there was a marked fall in the number of reported breaches, 5,120,289 healthcare records were breached across those 38 incidents, which is well above the 12-month average of 3.94 million breached records a month. The high total was largely due to two major ransomware attacks on St. Joseph’s/Candler Health System and University Medical Center Southern Nevada, which involved 2.8 million healthcare records combined. Largest Healthcare Data Breaches Reported in August 2021 Ransomware gangs continued to target the healthcare industry in August. The attacks can cause disruption to care and can put patient safety at risk. Some of the attacks...

Read More
Ransomware Gangs Attack Missouri Delta Medical Center and Barlow Respiratory Hospital
Sep21

Ransomware Gangs Attack Missouri Delta Medical Center and Barlow Respiratory Hospital

Barlow Respiratory Hospital in Los Angeles, CA has announced it has suffered a ransomware attack on August 27, 2021. The attack was conducted by the Vice Society ransomware gang, which gained access to its network and electronic medical record system. Prior to using ransomware to encrypt files, the gang exfiltrated patient data, some of which has been posted on the gang’s dark web data leak site. Barlow Respiratory Hospital said while the attack affected several IT systems, the hospital was able to continue to operate under its emergency procedures and patient care was not interrupted. Upon detection of the security breach, law enforcement agencies were notified and a third-party cybersecurity firm was engaged to assist with the investigation and determine the scope of the data breach. The investigation into the attack is ongoing. While some ransomware operations have said they will not target healthcare providers, Vice Society does not fall into that category. The ransomware operation appeared in June 2021 and has already attacked multiple healthcare providers, including Eskenazi...

Read More
Alaska DHSS Says May 2021 Cyberattack Impacts All Alaskans
Sep21

Alaska DHSS Says May 2021 Cyberattack Impacts All Alaskans

The Alaska Department of Health and Social Services (DHSS) is about to start mailing notification letters to all individuals in the state telling them their personal and health information may have been compromised in a highly sophisticated cyberattack conducted by a nation state threat actor. The cyberattack was detected on May 2, 2021 and the DHSS was notified about the attack on May 5, and was advised to shut down its systems immediately to prevent further unauthorized access. Details of when the hackers first gained access to DHSS systems has not been released, but it is known that Advanced Persistent Threat (APT) actors had access to DHSS systems for at least 3 days. The DHSS has previously reported the security incident and issued an update about the breach in August. The latest update, on September 16, explains the potential impact the attack will have on Alaskans. In the latest update, the DHSS said notifications were delayed so as not to interfere with the criminal investigation into the attack. The cyberattack was extensive and caused major disruption. Some IT systems...

Read More
Webinar Tomorrow: Do I Need to be HIPAA Compliant?
Sep21

Webinar Tomorrow: Do I Need to be HIPAA Compliant?

“Covered Entities” are required to comply with the Health Insurance Portability and Accountability Act (HIPAA). Covered entities are healthcare providers, health plans, and healthcare clearinghouses, which must ensure they are fully compliant with the HIPAA Privacy, Security, Omnibus, and Breach Notification Rules. There is a common misconception that HIPAA only applies to these entities, when compliance is mandatory for virtually all companies and individuals who work in healthcare in any capacity. There have been many fines imposed on organizations and companies that did not believe compliance was necessary or failed to fully grasp what compliance entailed. Any company or individual that either handles protected health information (PHI) or otherwise comes into contact with PHI is required to comply with the HIPAA Rules, even if they do not fall under the classification of covered entity. That includes any business that provides goods or services to covered entities that requires contact with PHI. To clear up confusion about whether compliance with the HIPAA Rules is required,...

Read More
Hacked Simon Eye Management Email Accounts Contained PHI of More than 144,000 Patients
Sep20

Hacked Simon Eye Management Email Accounts Contained PHI of More than 144,000 Patients

Wilmington, DE-based Simon Eye Management has suffered a breach of its email environment and hackers potentially gained access to the protected health information of 144,373 patients. Simon Eye identified suspicious activity in certain employee email accounts on or around June 8, 2021. Action was immediately taken to secure the accounts and prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the breach. Assisted by third -party security experts, Simon Eye determined that unauthorized individuals gained access to employee email accounts between May 12 and May 18, 2021. The incident was an attempted business email compromise (BEC) attack, where employee email accounts are compromised and used in a scam to trick employees into making fraudulent wire transfers, in this case through the manipulation of invoices. Simon Eye said none of the attackers’ attempts were successful. While gaining access to patient data did not appear to be the goal of the attackers, the email accounts they were able to access did contain patients’...

Read More