HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI of Employees Potentially Compromised in Tech Etch Ransomware Attack

Tech Etch, a Plymouth, MA-based manufacturer of precision-engineered thin metal components, flexible printed circuits, and EMI/RFI shielding, has announced it was the victim of a ransomware attack in which the personal and protected health information (PHI) of current and former employees was potentially compromised.

Companies such as Tech Etch would not normally be required to comply with HIPAA; however, the company provides a health plan for its employees and, as such, is classed as a HIPAA-covered entity.

Tech Etch discovered the ransomware attack on August 25, 2021, with the investigation determining the attackers gained access to its network on August 20. Tech Etch engaged an external forensic cybersecurity team to assist with the breach investigation, help secure its network, and prevent any further unauthorized access. Tech Etch had viable backups that were unaffected and was able to restore all encrypted data without paying the ransom.

Multiple safeguards had been implemented to secure employees’ personal and protected health information, but despite those protections, some employee data may have been stolen. Tech Etch said no direct evidence of data staging or data exfiltration was identified and the investigation indicated the attackers had not accessed the HR servers where employee data were stored. The attackers did try to access data backups containing employee data, but the backups were encrypted by Tech Etch and could not be viewed. Some employee information, such as names, addresses, Social Security numbers, dates of birth, and personal health information, was present in its email environment and could have been accessed or exfiltrated.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Tech Etch has not found any evidence that any employee data has been acquired or misused and it does not appear that any employee data have been posted publicly.

Affected employees have been advised to monitor their credit reports, accounts, and explanation of benefits statements for signs of fraudulent activity and to immediately report any suspicious transactions if they are discovered.  Tech Etch has already taken steps to enhance its security systems to prevent further security incidents and will continue to review those protocols to ensure they remain effective.

The ransomware attack has been reported to the Department of Health and Human Services’ Office for Civil Rights and the Massachusetts Attorney General. This post will be updated when it is known how many individuals have been affected.

UNC Hospitals Discovers Insider Breach and Data Theft

The protected health information of 719 patients of UNC Hospitals has been stolen by a former employee, who used the information for financial gain.

The Chapel Hill, NC-based healthcare provider discovered the unauthorized access on September 10, 2021. The employee in question was responsible for handling patients’ payments for services at several UNC Hospitals clinics and was provided with access to sensitive patient data to complete work duties.

The employee stole patients’ demographic information, financial information, Social Security numbers, copies of insurance cards, and patients’ driver’s licenses and used that information to fraudulently obtain goods and services.

Patients whose protected health information was accessed or misused by the former employee have been notified by mail and have been offered complimentary credit monitoring services for 12 months. The UNC Hospitals Police Department has launched a criminal investigation into the incident.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.