Imperial Health Ransomware Attack Impacts More Than 111,000 Patients

Imperial Health, a physicians’ network serving patients in Southwest Louisiana, is alerting more than 111,000 patients that some of their protected health information has potentially been compromised in a recent ransomware attack.

An unauthorized party had succeeded in downloading ransomware onto the network, which encrypted files and a database used by the Imperial Health’s Center for Orthopaedics (CFO). The attack was detected on May 19, 2019.

The database contained the protected health information of 116,262 patients. While no evidence of data access or data theft was uncovered during the investigation, it was not possible to rule out a breach of PHI. The decision was therefore taken to issue notifications to affected patients to allow them to take step to eliminate any risk of harm.

The information stored in the database related to patients who had previously received medical services at CFO. The information varied from patient to patient and may have included name, address, telephone number, birth date, Social Security number, medical record number, diagnoses, treatment information, medications, dates of service, treating physician, and other clinical information.

The incident has been reported to law enforcement and Imperial Health is assisting with the investigation. Imperial Health has removed the ransomware from its network and has successfully restored data. New anti-virus software has now been deployed to better deal with the threat from malware and ransomware in the future.

The HHS’ Office for Civil Rights’ breach portal indicates 116,262 patients have been affected.

Lost Laptop Contained PHI of 1,500 Patients

The Philadelphia Department of Behavioral Health and Intellectual Disability Services (DBHIDS) has announced that a laptop computer containing the protected health information of approximately 1,500 patients has been lost. The laptop was password-protected but not encrypted.

The laptop computer was in a briefcase which was lost on public transport. The laptop contained information such as names, dates of birth, MCI numbers, service provider names, and Medicaid waiver services that the client had applied for or was receiving.

All 1,500 affected individuals were notified of the breach the same day that the laptop was lost and have been offered one year of credit monitoring services at no cost. A forensic review confirmed that the laptop had not been used to access patient records.

It is DBHIDS policy for all laptop computers to be encrypted and it is unclear how this device was missed. DBHIDS will conduct a review and will ensure all laptop computers are encrypted, staff will be re-assigned to the HIPAA Basics training course, and further training on security-focused topics will also be provided.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.