Mat-Su Surgical Associates Suffer Ransomware Attack

Palmer, AK-based Mat-Su Surgical Associates has announced they were the victim of a ransomware attack in March, 2020. The attack was discovered on March 16 when staff were locked out of their computer systems.

A team of independent computer forensics investigators were engaged to assess the nature and scope of the attack and determine whether any patient data had been accessed or stolen by the attackers. It was not possible to determine whether the attacker had exfiltrated data or viewed patient information prior to encryption, but the investigators could not rule out unauthorized data access. The attacker was determined to have gained access to parts of its computer system that contained the protected health information of 13,146 patients.

The information potentially compromised in the attack included the names of current and former patients of Valley Surgical Associates and Mat-Su Surgical Associates, along with addresses, diagnoses, treatment information, lab test results, health insurance information, Social Security numbers, and other information related to the medical care they received.

All affected patients have been notified by mail and offered complimentary membership to credit monitoring and identity theft protection services through ID Experts.

Mat-Su Surgical Associates has taken steps to improve security, including implementing additional measures to prevent unauthorized remote access to its systems.

The Little Clinic Discovers Online Appointment System Bug Exposed PHI

The Little Clinic, a network of more than 215 medical care clinics in Ohio, Kansas, Kentucky, Tennessee, Arizona, Georgia, Indiana, Virginia and Colorado, has discovered a bug in its online appointment system potentially resulted in an unauthorized disclosure of patients’ protected health information.

The bug was discovered by The Little Clinic and was determined to have been introduced on October 7, 2018. The issue was corrected on February 13, 2020 and measures were implemented to prevent similar breaches in the future.

The coding error meant that if a patient made an appointment and subsequently modified it online, the patient’s name, address, date of birth, and telephone number could be accessed by through domains. The investigation revealed up to 10,974 patients were potentially affected and may have had some of their personal information disclosed.

The Little Clinic found no evidence to suggest patient data was accessed or misused but determined on April 7, 2020 that the incident constituted a data breach. All individuals potentially affected have now been notified by mail.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.