Logan Health Medical Center Cyberattack Affects More Than 213,000 Patients
Logan Health Medical Center in Kalispell, MT, has recently started notifying certain patients that hackers gained access to a file server that housed patient information in “a highly sophisticated criminal attack.”
A security breach of its information technology systems was detected on November 22, 2021, with the initial investigation confirming a hacker had breached its security defenses. Third-party forensic investigators were retained to conduct an investigation to determine the nature and scope of the attack and on January 5, 2022, it was confirmed that certain files on its systems that contained patient information had been accessed.
The intrusion was limited to a single file server and its electronic medical records were not compromised. A review of the files on the affected server revealed they contained patient information including names, addresses, medical record numbers, dates of birth, telephone numbers, email addresses, insurance claim information, date(s) of service, treating/referring physician, medical bill account number, and/or health insurance information. The types of information in the compromised files varied from patient to patient.
Logan Health Medical Center said no evidence has been found that suggests any information on the affected server has been misused; however, as a precaution, affected individuals have been offered complimentary credit monitoring and identity protection services through Kroll. Logan Health Medical Center said it has already implemented additional security measures to fortify its systems.
Get The Checklist
Free and Immediate Download
of HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
The breach has yet to appear on the HHS’ Office for Civil Rights Breach portal, but the report submitted to the Maine Attorney General indicates the protected health information of up to 213,543 individuals was potentially compromised.
NHS Management Alerts Patients About May 2021 Cyberattack
NHS Management, a Tuscaloosa, AL-based operator of 50 long-term rehabilitation facilities in Alabama, Arkansas, Florida, and Missouri, announced a data breach last month that was discovered in May 2021. NHS Management said in breach notification letters that it was the victim of a sophisticated cyberattack. There was no mention of ransomware, but NHS Management said the incident affected the functionality of certain systems and it worked quickly to restore access. At no point did the attack affect the quality of patient care. NHS said a third-party team of security specialists was assembled to investigate the attack and determine than nature and scope of the incident and the investigation is ongoing.
The incident was reported to the HHS’ Office for Civil Rights on October 29, 2021, as affecting 501 individuals. This appears to be a placeholder to meet HIPAA breach reporting requirements until the full extent of the breach is known. NHS Management said in its breach notification letters that the investigation into the attack is ongoing and the range and scope of compromised data is still unclear due to the “volume and complexity of the files at issue.” At this stage of the investigation, there has been no evidence uncovered to suggest employee or patient information has been misused.
The investigators determined hackers gained access to its system between May 14, 2021, and May 16, 2021, and accessed certain files, but did not gain access to electronic medical records. The files accessed included the following types of information. Name, contact information, medical history, treatment/diagnosis information, health information, health insurance information, Social Security number, date of birth, and driver’s license number. The types of information compromised varied from individual to individual.
Steps have already been taken to ensure the security of its systems to prevent further data breaches and NHS Management said notification letters will be sent to affected individuals as soon as is practicable after the individuals have been identified.