HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Patient Data Stolen in July 2021 Cyberattack on Chelan Douglas Health District

Chelan Douglas Health District in East Wenatchee, WA, has announced it was the victim of a cyberattack in July 2021 in which the personal and protected health information of patients was exfiltrated from its systems. The breach notice uploaded to Chelan Douglas Health District website does not disclose when the breach was detected but says a third-party cybersecurity company was engaged to investigate the cyberattack and confirmed that its network was accessed by unauthorized individuals between July 2 and July 4, 2021. A representative for the health district said this was not a ransomware attack.

The review of the files that were removed from its systems was completed on February 12, 2022, and confirmed the following types of patient data had been stolen: Names, Social Security numbers, dates of birth/death, financial account information, treatment information, diagnosis information, medical record/ patient numbers, and health insurance policy information.

Notification letters started to be sent to affected individuals on March 15, 2022. Individuals who had their Social Security numbers stolen have been offered complimentary credit monitoring services. Chelan Douglas Health District said it is unaware of any cases of identity fraud or other misuse of patient data. Steps have since been taken to improve the security of its systems to prevent further data breaches in the future.

The incident has not yet appeared on the HHS’ Office for Civil Rights website, so it is currently unclear exactly how many individuals have been affected. There have been some reports in the media that suggest the PHI of approximately 109,000 individuals was stolen in the attack.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

BEC Attack Reported by Liberty of Oklahoma Corporation

Oklahoma’s Department of Human Services and Liberty of Oklahoma Corporation (LOC) have announced that patient information was potentially accessed in a business email compromise attack in early December 2021.

On December 7, 2022, an employee in the Oklahoma Waitlist program received an email from a spoofed email account that attempted to redirect payments that were owed to LOC. The scam was detected and no fraudulent payments were made, but while investigating the incident they determined the email account of a LOC employee had been compromised.

The email account was immediately disabled, and a review was conducted to determine the types of information that may have been accessed or stolen. The review confirmed names, addresses, dates of birth, phone numbers, Social Security numbers, Oklahoma client Numbers, and the contact information of representing persons had been exposed.

LOC reported the breach to the HHS’ Office for Civil Rights as affecting 5,746 individuals.

East Tennessee Children’s Hospital Investigating Security Breach

East Tennessee Children’s Hospital is currently investigating a security breach that occurred on March 13, 2022, and caused disruption to its IT systems. A spokesperson for the hospital said the incident has not affected the ability of the hospital to provide care to patients and its internal teams and external agencies are working to minimize the disruption caused by the incident.

A forensic investigation was initiated to determine the nature and scope of the security incident, which confirmed that its network was accessed by unauthorized individuals between March 11 and March 14, 2022. The parts of the network that were accessed contained documents that included patients’ protected health information such as names, date of birth, Social Security number, driver’s license or state identification number, non-resident identification number, other demographic information, medical information, health insurance information, credit or debit card information, financial information, billing information, other personal health information, and usernames and passwords. Those documents may have been viewed or copied.

At this stage of the investigation, the extent of the breach has not been determined.  The breach has been reported to the HHS’ Office for Civil Rights as affecting 501 individuals, which is a common number used as a placeholder to meet the HIPAA breach reporting requirements until the exact number of affected individuals is known. The breach notification sent to the Maine Attorney General indicates 422,531 individuals have been affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.