Dickinson County Health Suffers Ransomware Attack

Michigan-based Dickinson County Health has suffered a malware attack that has taken its EHR system offline. The attack has forced the health system to adopt EHR downtime procedures and record patient data using pen and paper. The attack commenced on October 17, 2020 and disrupted computer systems at all its clinics and hospitals in Michigan and Wisconsin.

Systems were shut down to contain the malware and third-party security experts have been retained to investigate the breach and restore its systems and data. While the attack caused considerable disruption, virtually all patient services remained fully operational. It is currently unclear whether patient data were accessed or stolen by the attackers.

“We are treating this matter with the highest priority and are responding by using industry best practices while implementing aggressive protection measures,” said Chuck Nelson, DCHS CEO. “While we investigate, our top priority is maintaining our high standards for patient care throughout our system.”

25,000 Individuals Potentially Impacted by Passavant Memorial Homes Security Breach

Passavant Memorial Homes Family of Services (PMHFOS), a Pennsylvania-based provider of support services for individuals with intellectual disabilities, autism, and behavioral health needs, has experienced a security breach in which the protected health information of its clients may have been compromised.

The incident occurred on August 15, 2020. An unauthorized individual used the contact form on its website to send a message to an authorized user confirming a username and password had been obtained that gave access to its systems. The message alerted PMHFOS to the vulnerability and the individual claimed no malicious actions were taken.

The breach was investigated by a third-party computer forensics experts who determined that malware had not been installed and no files had been encrypted; however, it was not possible to determine whether any individually identifiable information had been accessed or exfiltrated.  Scans were conducted on the dark web to determine whether any client information had been released, but no information was found. A review of the systems that were accessible revealed they contained the PHI of 25,000 individuals.

In response to the breach PMHFOS disabled the compromised account, performed a system-wide password reset, provided further security awareness training to employees, and updated its network security measures. Two-factor authentication has also been implemented. The breach was reported to law enforcement and PMHFOS’ cyber insurance carrier.

Email Error Exposed Email Addresses of Michigan Medicine Patients

Ann Arbor-MI-based Michigan Medicine has started notifying 1,062 patients that their names, email addresses, and limited health information may have been accessed by unauthorized individuals.

Michigan Medicine sent an email communication in late September to patients advising them about an Inflammatory bowel Disease event; however, the email addresses of patients were not added to the blind carbon copy (BCC) field and could therefore be viewed by all other individuals on the mailing list.

The email did not contain highly sensitive information, although it may have been possible to determine the names of patients from their email addresses and the email identified individuals as suffering from inflammatory bowel disease.

When the error was discovered, separate emails were sent to all individuals on the mailing list informing them about the error and instructing them to delete the first email. Letters were also sent to affected patients on October 16. Michigan Medicine has now changed its procedures for emailing patients to prevent similar errors in the future.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.