CHI Health Ransomware Attack Impacts 48,000 Lakeside Patients

The Omaha, NE-based 14-hospital health system, CHI Health, has experienced a ransomware attack in which the protected health information of approximately 48,000 patients has potentially been compromised.

The attack was discovered on August 1, 2019 and affected an old electronic health record system that contained the medical records patients who had received medical services at CHI Health’s Lakeside Orthopedic Clinic prior to April 2016.

The investigation confirmed that a database used by the medical record system had been encrypted in the attack. A full investigation into the attack was launched and while it is possible that patient information was accessed or copied by the attackers, no evidence of unauthorized data access or data exfiltration was discovered and there have been no reports of misuse of patient information. The attack appears to have been conduced solely with the aim of extorting money from CHI Health.

The types of information contained in the database included patient names, addresses, contact telephone numbers, dates of birth, Social Security numbers, diagnoses, treatment information, and other medical information.

Affected individuals have been notified about the breach by mail and the incident has been reported to the Department of Health and Human Services’ Office for Civil Rights and other appropriate authorities.

Out of an abundance of caution, all affected individuals have been offered a 12-month complimentary subscription to credit monitoring and identity theft protection services. CHI Health has also taken steps to reduce the likelihood of similar breaches occurring in the future.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.