Share this article on:
Syracuse ASC, dba Specialty Surgery Center of Central New York, has started notifying 24,891 patients that some of their protected health information (PHI) was potentially accessed by unauthorized individuals who gained access to its computer systems.
The breach was identified by Syracuse ASC around March 31, 2021, and steps were immediately taken to secure its systems and prevent further unauthorized access. A third-party cybersecurity firm was engaged to assist with the forensic investigation, which concluded on April 30, 2021, and determined the hackers accessed parts of its systems that contained PHI.
A second investigation was conducted to determine which individuals’ PHI had been exposed. A list of individuals potentially affected by the incident was obtained on August 16, 2021, with the delay in issuing notifications due to a “substantial data validation process to verify the accuracy of the data.”
The file review confirmed names may have been compromised along with limited health information, but no evidence was found to indicate any actual or attempted misuse of data on the compromised systems.
Several steps have already been taken to improve IT security to prevent further data breaches, including updating its antivirus software and switching provider, locking down external websites, adding warning banners to emails from external sources, reconfiguring routers and closing unused ports and services, segregating the guest Wi-Fi network, updating switches and firewalls, upgrading operating systems on workstations, and providing further security awareness training to the workforce.
Computer Containing PHI Stolen from Advocate Lutheran General Hospital
A laptop computer containing the protected health information of patients of Advocate Lutheran General Hospital in Park Ridge, IL has been stolen.
The computer was stolen from the hospital on between 3:30 p.m. on September 22 and 06:30 a.m. on September 24, 2021. Upon discovery of the theft, technologies and processes were implemented to protect patient data and the laptop computer was remotely disabled; however, it is possible that in the short window of opportunity, data stored on the device could have been viewed. The hospital said it has found no evidence to indicate patient data was compromised.