HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Data Breaches Reported by Vista Radiology, Indian Creek Foundation & Mankato Clinic

Vista Radiology Reports Breach of the PHI of up to 3,634 Individuals

Knoxville, TN-based Vista Radiology has notified 3,634 patients about a ransomware attack experienced on July 11, 2021 which took part of its network offline. A leading computer forensics firm was engaged to conduct a full investigation into the attack. And the initial investigation appeared to suggest the sole purpose of the attack was to encrypt its systems, and that data exfiltration was not involved. However, Vista Radiology was informed on July 15 that some evidence had been found that files or folders containing patient data had been accessed and viewed.

The investigation confirmed files were encrypted in the evening of July 10 with a subset of those files accessed prior to encryption. The files that had been viewed only contained a limited amount of patient data and no significant amount of data were exfiltrated by the attackers. It was not possible to determine if the PHI of any specific patients had been accessed, so notification letters were sent to all patients potentially affected by the attack. The investigation indicates protected health information was not acquired or misused.

Vista Radiology said the encrypted data had been backed up and could be restored and that it did not negotiate with the malicious third party. Steps have since been taken to improve the security of its network environment, which involved a complete rebuild and redesign of network security. All affected patients have been notified and offered 12-months of complimentary identity and credit monitoring services.

Indian Creek Foundation Breach Affects 2,405 Patients

Indian Creek Foundation has notified 2,405 patients about a ransomware attack that occurred on February 6, 2021. Steps were immediately taken to contain the attack and third-party computer forensics specialists were engaged to investigate the security breach.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The investigation confirmed certain files and folders may have been exfiltrated from its systems prior to the use of ransomware to encrypt files. On or around April 15, 2021, a programmatic and manual review of all affected files was conducted to determine which patients were affected and what data was involved. It was confirmed on or around July 14 that patient was included in compromised files and folders. It took until August 24 to verify contact information for those individuals and notification letters have now been sent to all affected patients.

The data potentially viewed or exfiltrated by the attackers included names, Social Security number, driver’s license number, health insurance information, medical treatment/diagnosis information, and financial account information. Complimentary access to credit monitoring and identity restoration services have been offered to those individuals.

Indian Creek Foundation said policies and procedures have been revised and updated and additional safeguards have been implemented to reduce the likelihood of a similar events in the future.

Mankato Clinic Privacy Breach Affects 535 Patients

Mankato, MN-based Mankato Clinic has discovered a breach of the protected health information of 535 patients. On August 3, 2021, a spreadsheet containing patient data was emailed to an external email account in error by an employee. The error was detected within a few minutes and the recipient was contacted and told to delete the email and spreadsheet.

The recipient confirmed that the email had been deleted and the spreadsheet had not been opened; however, the email was not encrypted so there is a small probability that it could have been intercepted in transit. The spreadsheet contained the following types of patient information: Name, address, phone number, email address, date of birth, sex, medical record number, healthcare provider’s name, diagnosis information, and primary insurance carrier.

The investigation into the incident confirmed the error occurred due to the use of the email auto-complete feature. All employees have been provided with HIPAA training, so the employee in question knew the incident was a HIPAA breach and self-reported the error.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.