Malware Discovered on Networks of Squirrel Hill Health Center and La Clinica de la Raza
La Clinica de la Raza in Oakland, CA is alerting certain patients about a potential breach of their protected health information. Malware was detected on systems containing patient data on January 28, 2021.
A third-party forensics company was engaged to assist with the investigation into the malware attack and determined on February 26, 2021 that the malware would have allowed files containing patient data to be accessed. The breach was short lived, as the malware had been installed and was only active on January 12, 2021.
During the short period of time that the malware was active it is possible that documents were viewed by unauthorized individuals, but the clinic believes relatively few documents were viewed. Those documents included full names, dates of birth, phone numbers, home addresses, health insurance information, and certain health information such as dates of service, diagnosis, test results, and treatment information related to medical services provided at the clinic.
Steps have been taken to improve data security, including enhancing its intrusion detection and prevention system, securing login credentials, providing additional workforce training, and implementing other risk prevention measures. The breach report submitted to the HHS’ Office for Civil Rights shows 31132 individuals were affected.
Malware Potentially Gave Cybercriminals Access to the PHI of Squirrel Hill Health Center Patients
Squirrel Hill Health Center in Pittsburg, PA has discovered malware on its computer network which may have provided cybercriminals with access to files containing patients’ protected health information. A security breach was identified on February 4, 2021 when suspicious activity was detected on its computer network that prevented files from being accessed.
Third-party computer forensic specialists were engaged to investigate the breach and determined unauthorized individuals gained access to its systems on January 28, 2021 and access remained possible until February 4, 2021. While it is common in attacks such as this for sensitive data to be exfiltrated, Squirrel Hill Health Center found no evidence to suggest personal information was subjected to actual or attempted misuse.
A review of the files that were potentially accessed revealed they contained names, addresses, dates of birth, diagnostic codes, limited appointment scheduling details, and, for a subset of individuals, Social Security numbers. The breach has affected 23,869 individuals.
Policies, procedures, and processes related to the storage of and access to patient information are being reviewed and will be updated, as necessary, to improve security.
California Department of State Hospitals Discovers Insider Breach Worse Than Previously Thought
In March 2021, the California Department of State Hospitals announced that an employee in an IT role had accessed the data of 1,415 current and former patients and 617 employees without authorization over a 10-month period. The breach was discovered on February 25, 2021 as part of a routine review of employee access to data folders.
At the time of the announcement the review into the insider breach was ongoing. It has now been confirmed that the breach was worse than previously thought. The data of 1,735 current and former Atascadero State Hospital employees and 1,217 DSH job applicants who had not been employed was also accessed. The data included phone numbers, email addresses, social security numbers, date of birth, and health information. While the sensitive data was accessed, there is no indication that any information has been misused.
Laptop Stolen from Woolfson Eye Institute Contained Patient Data
Woolfson Eye Institute in Atlanta, GA has announced a laptop computer connected to medical testing equipment was stolen on September 21, 2020. A review of the contents of the laptop confirmed it contained a patient database that included patient names and dates of birth. No other information was exposed. The theft was reported to law enforcement, but the laptop has not been recovered.
Due to the limited nature of data on the laptop, patients are not believed to be at risk of identity theft and fraud but have been advised to remain vigilant.