HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Maze Ransomware Attack on Accounting Firm Impacts Patients of New York Medical Group

The Albany, NY-based accounting, tax, and advisory firm, BST & Co. CPAs LLC, has experienced a Maze ransomware attack that has affected patients of the New York medical group, Community Care Physicians P.C.

The Maze ransomware gang is one of a handful of threat groups that steal data from victims prior to deploying their ransomware payload. A threat is then issued to publish the stolen data if the ransom is not paid. Some of the data stolen in the attack has since been published by the gang, including names, dates of birth, addresses, contact telephone numbers, and Social Security numbers of BST employees.

BST has issued a statement saying a computer virus was detected on December 7, 2019 which prevented access to its files. In addition to internal data, some information related to local clients was also potentially compromised, including Community Care Physicians.

A leading computer forensics firm was engaged to assist with the investigation and determine the nature and scope of the attack. The forensics experts determined the virus was active on the network from December 4, 2019 to December 7, 2019 and that the attackers had gained access to parts of the network where client data was stored. BST managed to recover the encrypted data from backups.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

BST confirmed the individuals affected by the breach by February 5, 2020 and notification letters were sent by BST on February 14, 2020. The compromised client data included names, dates of birth, medical record numbers, medical billing codes, and insurance descriptions.

The HHS’ Office for Civil Rights breach portal shows the PHI of up to 170,000 patients was potentially compromised in the attack.

United Regional Phishing Attack Affects 1,893 Patients

Wichita Falls, TX-based United Regional Health Care System has announced it has suffered a phishing attack that has seen the email account of one of its employees accessed by an unauthorized individual. The attack occurred in July 2019, but it took until December 2019 to complete the investigation and review the email account to determine whether patient information was compromised.

It was not possible to determine whether emails were accessed or copied by the attacker, but unauthorized access and data theft could not be ruled out. The email account contained patient names, dates of birth, patient account and/or medical record numbers, and clinical information such as provider name and location, lab test results, diagnostic data, prescription information, procedures, and/or treatment information. A limited number of individuals also had their Social Security numbers, driver’s license numbers, health insurance information, and/or passport information exposed.

Patients were notified about the breach on February 18, 2020. Individuals whose Social Security number or driver’s license number was included in the account have been offered complimentary credit monitoring and identity theft protection services.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.