HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI Exposed in Cyberattacks on Methodist McKinney Hospital and Columbia River Mental Health Services

Methodist McKinney Hospital in Texas has recently announced that its systems have been accessed by unauthorized individuals who removed files containing sensitive data from its systems. The security incident was detected on July 5, 2022, and a third-party cybersecurity firm was engaged to investigate the nature and scope of the incident. The investigation confirmed that the attackers had access to its systems between May 20, 2022, and July 7, 2022, and during that time, files were exfiltrated that contained patient data. The preliminary investigation has confirmed that the files contained names, addresses, Social Security numbers, birth dates, medical history information, medical diagnosis information, treatment information, medical record numbers, and health insurance information.

The investigation into the security breach is ongoing and a detailed review of all affected files has been initiated to determine the patients affected. The breach is known to have affected patients of Methodist McKinney Hospital, Methodist Allen Surgical Center, and Methodist Craig Ranch Surgical Center. Notifications will be sent to affected individuals in due course.

Methodist McKinney Hospital did not disclose the nature of the attack in the substitute breach notification, but this appears to have been a ransomware attack. The Karakurt ransomware gang has listed Methodist McKinney Hospital on its data leak site as a pre-release and claims to have exfiltrated 367 GB of data in the attack.

Update: The breach has been reported to the HHS’ Office for Civil Rights as affecting 110,244 patients of Methodist McKinney Hospital and 15,157 patients of Methodist Craig Ranch Surgical Center. It is currently unclear how many Methodist Allen Surgical Center patients have been affected.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Columbia River Mental Health Services Reports Breach of Employee Email Accounts

Columbia River Mental Health Services has recently notified the HHS’ Office for Civil Rights about a security incident involving certain employee email accounts. According to the breach notice, suspicious activity was detected in certain email accounts, and third-party forensics experts were engaged to investigate the breach. The investigation confirmed that the email accounts were accessed by unauthorized individuals between May 14, 2021, and April 8, 2022.

A review was conducted of the affected accounts, which confirmed on July 6, 2022, that they contained patients’ protected health information. The review of the information in the accounts is ongoing and notification letters will be sent to affected individuals when the review is completed. The breach has been reported to the HHS’ Office for Civil Rights as affecting ‘501’ individuals to meet the deadline for reporting the incident. The breach total will be updated when the number of affected individuals is confirmed.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.