HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Memorial Health System Confirms 216K Patients Affected by August 2021 Ransomware Attack

Ohio-based Memorial Health System has recently confirmed the ransomware attack it experienced in August 2021 potentially involved the protected health information of 216,478 patients. The ransomware attack forced the health system to divert certain patients to other facilities and cancel some appointments to ensure patient safety. The attack was announced shortly after the breach, which occurred on August 14, 2021. The investigation revealed its network was first breached on July 10, 2021.

The incident was reported to the HHS’ Office for Civil Rights promptly, although at the time it was not known how many individuals had been affected. Memorial Health System discovered patient data may have been involved on or around September 17, 2021, then followed a comprehensive review of all affected files. On November 1, 2021, the scope of the incident was determined but it took until December 9, 2021, to confirm the individuals affected and the specific types of data involved, hence the delay in issuing notifications. Written notices were sent to affected individuals on or around January 12, 2022.

The information exposed and potentially exfiltrated included names, addresses, Social Security numbers, medical/treatment information, and health insurance information. Affected individuals have been offered a complimentary 12-month membership to Kroll’s credit monitoring service. Memorial Health System has since implemented additional safeguards to improve its security posture.

MedQuest Pharmacy Data Breach Affects 39,447 Individuals

In mid-December, MedQuest Pharmacy started notifying 39,447 patients that some of their protected health information had potentially been compromised in a cyberattack that was detected on November 18, 2021. Assisted by its parent companies – UpHealth Inc and Innovations Group – and independent cybersecurity experts, MedQuest determined the attackers first gained access to its systems on October 27, 2021, and that unauthorized access to its environment was blocked on October 30, 2021.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

A comprehensive review of all affected systems revealed the following types of information had potentially been accessed and/or acquired in the attack: Names, birth dates, addresses, email addresses, telephone numbers, genders, medical record numbers, health information, prescription information, referring doctor names, date(s) of treatment, health insurance policy numbers (including Medicare or Medicaid number), and internal MedQuest patient identification number.

MedQuest said a very small number of individuals also had their Social Security Number, driver’s license number, financial account/payment card information, health insurance claim number, policy information, and/or claim/appeal information exposed. All affected individuals have been offered a complimentary 12-month membership to Equifax’s credit and identity monitoring services.

Oscar Health Plan of California Notifies Members About 3rd Party Mismailing Incident

Oscar Health Plan of California has started notifying 7,632 individuals about an error at a printing vendor that resulted in their statements being sent to another health plan member.

According to a recent press release, the error affected mailings between October 28, 2021, and November 16, 2021. The statements included a limited amount of plan member information including name, claim number, health plan ID number, provider information, date(s) of service, procedure/service name, and plan name/affiliation only. In each case, the statement was sent to only one other plan member.

Oscar Health Plan has worked with its printing vendor to implement additional safeguards to prevent further mailing errors and has received no reports of any misuse of plan members’ information.

Update: February 3, 2022 – The mismailing incident also affected 6,290 Oscar Insurance Company of Florida members, 792 Oscar Buckeye State Insurance Corporation members, and 504 Oscar Insurance Corporation of Ohio members.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.