HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Patient Data Compromised in Ransomware Attacks on Family Christian Health Center & Jackson County Hospital

Family Christian Health Center (FCHC) in Illinois has announced it was the victim of a ransomware attack in November 2021 that compromised the protected health information of 31,000 patients. The attack was detected on November 30, 2021, with the investigation indicating the attackers first gained access to its IT systems on or around November 18, 2021.

The attackers compromised FCHC’s old dental system which contained the PHI of patients who had received dental services prior to August 31, 2020. The system contained patients’ names, birth dates, insurance card numbers, driver’s license numbers, and copies of patients’ insurance cards and driver’s licenses. FCHC said information about the dental care provided, credit card numbers, and the Social Security numbers of affected dental patients were not affected. The PHI of non-dental patients who received healthcare services between December 5, 2016, and August 31, 2020, was also compromised and included names, birthdates, addresses, insurance identification numbers, and Social Security numbers.

FCHC worked with external IT vendors to investigate the breach and a forensic investigator was engaged to determine how the attackers gained access to the network and to recommend additional security measures to prevent further attacks. FCHC said it has implemented additional technical safeguards.

Patient Data Potentially Compromised in Jackson County Hospital Ransomware Attack

Jackson County Hospital in Florida recently announced certain systems within its network have been accessed by unauthorized individuals who potentially viewed or obtained the personal and medical information of certain patients. The security breach was detected on or around January 9, 2022, when certain systems were rendered inaccessible.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Third-party forensic specialists investigated the cyberattack and determined limited patient data had been exfiltrated from its systems, including names, addresses, birthdates, telephone numbers, Social Security numbers, medical histories, medical conditions/treatment information, medical record numbers, diagnosis codes, patient account numbers, Medicare/Medicaid numbers, financial account information, and usernames/passwords. At this stage, Jackson County Hospital has not found any evidence to suggest there has been any misuse of patient data but affected patients have been advised to be vigilant and to check their account statements and explanation of benefits statements for signs of fraudulent activity.

Jackson County Hospital said the investigation into the cyberattack is ongoing and steps are being taken to improve security. Current policies and procedures are being reviewed and additional administrative and technical safeguards will be implemented to further secure the information in its systems.

The cyberattack has been reported to the HHS’ Office for Civil Rights as affecting 501 individuals – a commonly used number to meet the Breach Notification Rule reporting requirements until the full extent of the attack is determined – Update: The breach has been confirmed as affecting 98,746 patients and employees.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.