HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Nationwide Laboratory Services Ransomware Attack Affects 33,000 Patients

Boca Raton, FL-based Nationwide Laboratory Services, which was acquired by Quest Diagnostics in the summer, was the victim of a ransomware attack earlier this year.

Nationwide Laboratory Services detected a breach of its systems on May 19, 2021, when ransomware was used to encrypt files across its network and prevent files from being accessed. Steps were immediately taken to contain the attack and a third-party cybersecurity firm was engaged to assist with the investigation and remediation efforts.

The forensic investigation confirmed on August 31, 2021, that the attackers gained access to parts of its network where patients’ protected health information was stored, and potentially accessed information such as names, dates of birth, lab test results, medical record numbers, Medicare numbers, and health insurance information. A subset of the individuals affected had their Social Security numbers exposed. The types of information exposed in the attack varied from patient to patient.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates the protected health information of up to 33,437 individuals was potentially compromised.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Nationwide Laboratory Services said it is possible that the attackers exfiltrated a limited number of files from its network prior to deploying ransomware to encrypt files; however, no evidence has been uncovered to indicate patient data has been or will be used for any unintended purposes. As a precaution, affected individuals are being encouraged to review their accounts and explanation of benefits statements for signs of fraudulent activity.

Nationwide Laboratory Services has offered 12 months of complimentary credit monitoring services to individuals whose Social Security numbers were stored on the affected systems.

The FBI recently issued a private industry notification about ransomware actors targeting companies that are involved in significant financial events such as mergers and acquisitions and are using exfiltrated data as leverage in their efforts to extort money from victims. There have been several cases where the attackers have threatened to release sensitive and potentially harmful information to negatively affect stock prices to encourage payment of the ransom.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.