HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

CSI Laboratories and Christie Clinic Report Data Breaches; Scripps Health Sends Additional Notification Letters

Email Account Breach Reported by Christie Clinic

Christie Business Holdings Company, P.C., doing business as Christie Clinic, has recently announced a security incident involving an employee’s email account. The company’s breach notice did not say when the breach was discovered, but the forensic investigation confirmed on January 27, 2022, that the email account was accessed by an unauthorized individual between July 14, 2021, and August 19, 2021.

Christie Clinic said the purpose of the attack appeared to be to intercept a business transaction between the clinic and a third-party vendor, rather than to obtain sensitive data from the email account, but it was not possible to determine to what extent emails in the account had been accessed. Christie Clinic said the investigation confirmed that the breach was limited to a single email account and no other systems or accounts were affected. The review of information in the account revealed on March 10, 2022, that the emails included protected health information such as names, addresses, Social Security numbers, medical information, and health insurance information. Notification letters were sent to affected individuals on March 24, 2022.

Christie Clinic said it already uses industry-leading network security solutions and performs regular and ongoing data security and privacy training and additional safeguards have been implemented.

The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 502,869 individuals, which puts it in the three largest healthcare data breaches to be reported so far in 2022.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Conti Ransomware Gang Claims Responsibility for Cyberattack on CSI Laboratories

Cytometry Specialists, Inc. doing business as CSI Laboratories in Alpharetta, GA, has recently announced it was the victim of a cyberattack that was discovered on February 12, 2022. An investigation was launched which confirmed that files containing limited patient data were exfiltrated from its systems, which mostly contained patient names and case numbers used for identifying patients, but for limited patients also included addresses, dates of birth, medical record numbers, and health insurance information.

CSI Laboratories said in its web notification that at this stage of the investigation there does not appear to have been any misuse of patient data. While CSI Laboratories did not disclose the nature of the cyberattack, the Conti ransomware gang has claimed responsibility and has published a sample of the exfiltrated data on its data leak site. CSI Laboratories said it has now brought its system back online and it is monitoring its network closely for unusual activity. There was no mention made about any ransom being paid.

The HHS’ Office for Civil Rights breach portal indicates 312,000 individuals have been affected.

Scripps Health Sends Additional Notification Letters About 2021 Ransomware Attack

On June 1, 2021, Scripps Health in San Diego notified the HHS’ Office for Civil Rights about a ransomware attack in which the protected health information of 147,267 patients was potentially compromised. Hackers had gained access to its network between April 26, 2021, and May 1, 2021, and potentially exfiltrated files containing patient data. The attack prompted class action lawsuits and cost the healthcare provider more than 113 million in losses.

Almost a year after its network was breached, NBC 7 was contacted by a patient who received a notification letter dated March 15, 2021, informing her that her protected health information was potentially compromised in the attack, including her name, address, date of birth, health insurance information, medical record number, patient account number, and clinical information such as diagnosis or treatment information had potentially been compromised. The patient had not previously been notified about the ransomware attack.

NBC 7 contacted Scripps Health, which confirmed that the manual document review recently concluded, and it was determined that additional patient data had potentially been compromised in the attack, but declined to say how many additional patients had been affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.