HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

4-Month Data Breach Discovered During Ransomware Investigation: 300,000 Patients Impacted

Women’s Health Care Group of Pennsylvania, one of the largest healthcare networks in the state, has alerted approximately 300,000 patients that some of their sensitive protected health information has been compromised.

The types of data exposed – and potentially stolen – include names, addresses, dates of birth, lab test orders, lab test results, blood types, race, gender, pregnancy status, medical record numbers, employer information, insurance details, medical diagnoses, physicians’ names and Social Security numbers.

Identity theft protection services are being offered to all affected patients. Those individuals would do well to activate those services promptly, as hackers gained access to a server and workstation containing the above information in January this year, with access to systems possible until at least May.

In May, a virus was installed on a server/workstation preventing the hospital from accessing patient data. While ransomware can be installed as a result of a phishing email or software vulnerability, in this case it appears to have been deployed by individuals who already had access to its systems. This is not atypical. If hackers manage to gain access to a healthcare network, it is becoming increasingly common for ransomware to be deployed when access to the system is no longer required – Once all useful data have been exfiltrated, for instance.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Women’s Health Care Group of Pennsylvania rapidly isolated the affected devices to prevent the spread of the infection and external cybersecurity experts were called in to conduct a forensic investigation to determine the nature and scope of the security breach. The Federal Bureau of Investigation was also notified.

While a ransom demand had been issued by the attackers, no money was paid as all data could be recovered from a backup. Women’s Health Care Group of Pennsylvania says no protected health information was lost.

The investigation revealed that hackers had first gained access to its systems in January 2017 after taking advantage of a security vulnerability, with the same vulnerability believed to have been used to install ransomware. While Women’s Health Care Group of Pennsylvania did not find any evidence to suggest information on the server or workstation had been viewed or stolen, data access and theft could not be ruled out.

This is the second such incident to be reported in the past few weeks. Earlier this month, Peachtree Neurological Clinic of Atlanta, GA announced that an investigation into a ransomware attack revealed its systems had been compromised 15 months previously.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.