PHI Exposed in Cyberattacks on Methodist McKinney Hospital and Columbia River Mental Health Services
Methodist McKinney Hospital in Texas has recently announced that its systems have been accessed by unauthorized individuals who removed files containing sensitive data from its systems. The security incident was detected on July 5, 2022, and a third-party cybersecurity firm was engaged to investigate the nature and scope of the incident. The investigation confirmed that the attackers had access to its systems between May 20, 2022, and July 7, 2022, and during that time, files were exfiltrated that contained patient data. The preliminary investigation has confirmed that the files contained names, addresses, Social Security numbers, birth dates, medical history information, medical diagnosis information, treatment information, medical record numbers, and health insurance information.
The investigation into the security breach is ongoing and a detailed review of all affected files has been initiated to determine the patients affected. The breach is known to have affected patients of Methodist McKinney Hospital, Methodist Allen Surgical Center, and Methodist Craig Ranch Surgical Center. Notifications will be sent to affected individuals in due course.
Methodist McKinney Hospital did not disclose the nature of the attack in the substitute breach notification, but this appears to have been a ransomware attack. The Karakurt ransomware gang has listed Methodist McKinney Hospital on its data leak site as a pre-release and claims to have exfiltrated 367 GB of data in the attack.
Update: The breach has been reported to the HHS’ Office for Civil Rights as affecting 110,244 patients of Methodist McKinney Hospital and 15,157 patients of Methodist Craig Ranch Surgical Center. It is currently unclear how many Methodist Allen Surgical Center patients have been affected.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Columbia River Mental Health Services Reports Breach of Employee Email Accounts
Columbia River Mental Health Services has recently notified the HHS’ Office for Civil Rights about a security incident involving certain employee email accounts. According to the breach notice, suspicious activity was detected in certain email accounts, and third-party forensics experts were engaged to investigate the breach. The investigation confirmed that the email accounts were accessed by unauthorized individuals between May 14, 2021, and April 8, 2022.
A review was conducted of the affected accounts, which confirmed on July 6, 2022, that they contained patients’ protected health information. The review of the information in the accounts is ongoing and notification letters will be sent to affected individuals when the review is completed. The breach has been reported to the HHS’ Office for Civil Rights as affecting ‘501’ individuals to meet the deadline for reporting the incident. The breach total will be updated when the number of affected individuals is confirmed.
Update October 7, 2022:
A comprehensive review of the affected email accounts confirmed on August 26, 2022, that names, addresses, Social Security numbers, driver’s license numbers, financial account information, medical information, health insurance information, usernames and passwords, and dates of birth may have been compromised. It is still unclear exactly how many individuals have been affected.
