Share this article on:
Palmer, AK-based Mat-Su Surgical Associates has announced it was attacked with ransomware in March. The attack was discovered on March 16 when staff were locked out of its computer systems as a result of the encryption of essential files.
A team of independent computer forensics investigators were engaged to assess the nature and scope of the attack and to determine whether any patient data had been accessed or stolen by the attackers. It was not possible to determine whether the attacker had exfiltrated data or viewed patient information prior to encryption, but the investigators could not rule out unauthorized data access. The attacker was determined to have gained access to parts of its computer system that contained the protected health information of 13,146 patients.
The information potentially compromised in the attack included the names of current and former patients of Valley Surgical Associates and Mat-Su Surgical Associates along with addresses, diagnoses, treatment information, lab test results, health insurance information, Social Security numbers, and other information related to the medical care provided.
All affected patients have been notified by mail and offered complimentary membership to credit monitoring and identity theft protection services through ID Experts.
Mat-Su Surgical Associates has taken steps to improve security, including implementing additional measures to prevent unauthorized remote access to its systems.
The Little Clinic Discovers Online Appointment System Bug that Exposed PHI
The Little Clinic, a network of more than 215 medical care clinics in Ohio, Kansas, Kentucky, Tennessee, Arizona, Georgia, Indiana, Virginia and Colorado, has discovered a bug in its online appointment system potentially resulted in an unauthorized disclosure of patients protected health information.
The bug was discovered internally by The Little Clinic and was determined to have been introduced on October 7, 2018. The issue was corrected on February 13, 2020 and measures were implemented to prevent similar breaches in the future.
The coding error meant that if a patient made an appointment and subsequently modified it online, the patient’s name, address, date of birth, and telephone number could be accessed by other domains. The investigation revealed up to 10,974 patients were potentially affected and may have had some of their personal information disclosed.
The Little Clinic found no evidence to suggest patient data was accessed or misused but determined on April 7, 2020 that the incident constituted a data breach. All individuals potentially affected have now been notified by mail.