Ransomware Gangs Attack Missouri Delta Medical Center and Barlow Respiratory Hospital
Sep21

Ransomware Gangs Attack Missouri Delta Medical Center and Barlow Respiratory Hospital

Barlow Respiratory Hospital in Los Angeles, CA has announced it has suffered a ransomware attack on August 27, 2021. The attack was conducted by the Vice Society ransomware gang, which gained access to its network and electronic medical record system. Prior to using ransomware to encrypt files, the gang exfiltrated patient data, some of which has been posted on the gang’s dark web data leak site. Barlow Respiratory Hospital said while the attack affected several IT systems, the hospital was able to continue to operate under its emergency procedures and patient care was not interrupted. Upon detection of the security breach, law enforcement agencies were notified and a third-party cybersecurity firm was engaged to assist with the investigation and determine the scope of the data breach. The investigation into the attack is ongoing. While some ransomware operations have said they will not target healthcare providers, Vice Society does not fall into that category. The ransomware operation appeared in June 2021 and has already attacked multiple healthcare providers, including Eskenazi...

Read More
Alaska DHSS Says May 2021 Cyberattack Impacts All Alaskans
Sep21

Alaska DHSS Says May 2021 Cyberattack Impacts All Alaskans

The Alaska Department of Health and Social Services (DHSS) is about to start mailing notification letters to all individuals in the state telling them their personal and health information may have been compromised in a highly sophisticated cyberattack conducted by a nation state threat actor. The cyberattack was detected on May 2, 2021 and the DHSS was notified about the attack on May 5, and was advised to shut down its systems immediately to prevent further unauthorized access. Details of when the hackers first gained access to DHSS systems has not been released, but it is known that Advanced Persistent Threat (APT) actors had access to DHSS systems for at least 3 days. The DHSS has previously reported the security incident and issued an update about the breach in August. The latest update, on September 16, explains the potential impact the attack will have on Alaskans. In the latest update, the DHSS said notifications were delayed so as not to interfere with the criminal investigation into the attack. The cyberattack was extensive and caused major disruption. Some IT systems...

Read More
Hacked Simon Eye Management Email Accounts Contained PHI of More than 144,000 Patients
Sep20

Hacked Simon Eye Management Email Accounts Contained PHI of More than 144,000 Patients

Wilmington, DE-based Simon Eye Management has suffered a breach of its email environment and hackers potentially gained access to the protected health information of 144,373 patients. Simon Eye identified suspicious activity in certain employee email accounts on or around June 8, 2021. Action was immediately taken to secure the accounts and prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the breach. Assisted by third -party security experts, Simon Eye determined that unauthorized individuals gained access to employee email accounts between May 12 and May 18, 2021. The incident was an attempted business email compromise (BEC) attack, where employee email accounts are compromised and used in a scam to trick employees into making fraudulent wire transfers, in this case through the manipulation of invoices. Simon Eye said none of the attackers’ attempts were successful. While gaining access to patient data did not appear to be the goal of the attackers, the email accounts they were able to access did contain patients’...

Read More
Webinar Sept 22: Do I Need to be HIPAA Compliant?
Sep18

Webinar Sept 22: Do I Need to be HIPAA Compliant?

“Covered Entities” are required to comply with the Health Insurance Portability and Accountability Act (HIPAA). Covered entities are healthcare providers, health plans, and healthcare clearinghouses, which must ensure they are fully compliant with the HIPAA Privacy, Security, Omnibus, and Breach Notification Rules. There is a common misconception that HIPAA only applies to these entities, when compliance is mandatory for virtually all companies and individuals who work in healthcare in any capacity. There have been many fines imposed on organizations and companies that did not believe compliance was necessary or failed to fully grasp what compliance entailed. Any company or individual that either handles protected health information (PHI) or otherwise comes into contact with PHI is required to comply with the HIPAA Rules, even if they do not fall under the classification of covered entity. That includes any business that provides goods or services to covered entities that requires contact with PHI. To clear up confusion about whether compliance with the HIPAA Rules is required,...

Read More
Stolen Laptop Contained the PHI of Dignity Health Patients
Sep17

Stolen Laptop Contained the PHI of Dignity Health Patients

Resource Anesthesiology Associates (RAA) of California has started notifying certain patients of Dignity Health’s Mercy Hospital Downtown and Mercy Hospital Southwest that some of their protected health information was stored on a laptop computer that was stolen. RAA of California provides anesthesiology services at the Dignity Health hospitals, which requires access to patient data. On July 8, the laptop was stolen from an RAA of California administrator. The theft was reported to law enforcement, but the device has not been recovered. RAA of California conducted an investigation to determine which patient information was stored on the device and could potentially be accessed. The review confirmed the following types of information were stored on the device: Names, addresses, dates of birth, provider names, dates of service, diagnoses and treatment information, health insurance information, and other information related to patients’ medical care. The laptop computer was protected with a password, which provides a degree of protection against unauthorized access. However, passwords...

Read More