HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Cyberattack and Data Destruction Reported by First Street Family Health

Salida, CO-based First Street Family Health has suffered a destructive cyberattack, in which files containing patient information were exfiltrated and then deleted from its systems. This method of attack is becoming more common, where data is stolen, deleted, and then threats are issued to publish or sell the data if payment is not made to the attackers, but files are not encrypted using ransomware.

First Street Family Health said the attack was detected on July 16, 2022, with the investigation confirming that the attackers first gained access to its systems on July 5, 2022. The unauthorized access was blocked on July 16. The attackers deleted electronic medical records from June 28, 2021, to July 15, 2022, and while backups of those records had been made, the backups were also deleted so the information in those records has been lost. No evidence was found to indicate those records were stolen. Medical referral forms stored on the affected computer systems may have been viewed or acquired, but those records were successfully restored from backups.

The breached records included full names, addresses, birth dates, phone numbers, email addresses, Social Security numbers, dates of service, nature of services, diagnoses, conditions, lab results, medications, health insurance identification cards and numbers, and billing information.

Notification letters were sent to affected individuals on August 26, 2022, and complimentary memberships to CyberScout’s credit monitoring service have been offered. First Street Family Health said a national cybersecurity firm assisted with the investigation and conducted a security review, and additional security measures are being implemented based on the firm’s recommendations.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Update: The incident has been reported to the HHS’ Office for Civil Rights as affecting 7,310 individuals.

Northeast Rehabilitation Hospital Network Notifies Patients About 2021 Cyberattack

Salem, NH-based Northeast Rehabilitation Hospital Network (NRHN) has started notifying patients that unauthorized individuals gained access to its computer systems and may have viewed or obtained sensitive data. The data breach was detected on September 30, 2021, when suspicious activity was detected within its network. The subsequent investigation confirmed its systems were compromised between September 30, 2021, and October 5, 2021.

NRHN said the delay in issuing notifications to affected individuals was due to the time-consuming process of reviewing all affected files on its systems, and that process was not completed until August 3, 2022. Notification letters are now being sent and individuals will be informed in those letters about the types of information that were involved. NRHN said it is unaware of any attempted or actual misuse of patient data. Credit monitoring and Identity theft protection services have been offered to affected individuals.

This post will be updated when the number of affected individuals is known.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.