HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Magnolia Pediatrics and Accents on Health Suffer Ransomware Attacks

Prairieville, LA-based Magnolia Pediatrics is notifying 12,861 patients that some of their protected health information has potentially been compromised in a ransomware attack that occurred on or around March 26, 2020.

The ransomware attack was investigated by its IT vendor, LaCompuTech, which determined only its master boot record had been affected and patient information had not been accessed, encrypted or exported by the attackers. The IT vendor determined a HIPAA breach had not occurred and the incident therefore did not need to be reported to the HHS’ Office for Civil Rights and notification letters to patients were not warranted.

However, OCR informed Magnolia Pediatrics on September 11, 2020 that the incident was a reportable data breach and patient notification letters were required. OCR explained that any hacker who was able to access the master boot record must have had full control of the server and therefore had access to any protected health information stored on that server.

Protected health information stored on the server included patients’ names, addresses, telephone numbers, dates of birth, Social Security numbers, health insurance information, medical record numbers, and clinical information, including diagnoses, lab test results, treating physicians’ names, medications, medical histories, and dates of service.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Magnolia Pediatrics said the investigation uncovered no evidence to suggest any patient data was exfiltrated and no patient information was encrypted in the attack. Magnolia Pediatrics is taking several steps to improve security, including the use of multi-factor authentication on its servers and systems, improved filtering for email and traffic, multiple intrusion prevention and detection systems, and a systematic risk analysis and remediation process has been implemented for its computer systems. Further cybersecurity awareness training has been provided to the workforce and the dark web is being monitored for any email addresses associated with Magnolia Pediatrics.

Magnolia Pediatrics has terminated its relationship with LaCompuTech and has engaged a leading information technology and security provider to oversee the security of its computer systems.

This is the second ransomware attack to have affected Magnolia Pediatrics in the past 14 months. The earlier attack occurred on August 23, 2019 and impacted 11,100 patients.

Accents on Health Suffers Ransomware Attack

The Lone Tree, CO-based chiropractor, Accents on Health, suffered a ransomware attack on August 5, 2020 which encrypted data on its computer systems. Cybersecurity forensics specialists were engaged to investigate the breach and determine whether patient data had been accessed or exfiltrated by the attackers.

No evidence was found to suggest patient information was exfiltrated prior to the attack, but data theft could not be ruled out. The affected computer systems contained the protected health information of 2,000 patients, including full names, addresses, dates of birth, account numbers, Social security numbers, medical information, diagnosis codes, and insurance information.

No reports have been received to suggest protected health information has been misused. Accents on Health is now reviewing its software, systems, policies, and procedures and will implement additional safeguards to prevent further cyberattacks.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.