Ransomware Attack on the Southeastern Council on Alcoholism and Drug Dependence Impacts 25,148 Patients

The Southeastern Council on Alcoholism and Drug Dependence (SCADD) in Lebanon, CT, has experienced a ransomware attack that has resulted in widespread file encryption.

The attack was detected on February 18, 2019 when problems started to be experienced with its network. The investigation confirmed ransomware had been installed on its systems, some of which contained the protected health information (PHI) of patients.

While no evidence was uncovered that suggested the attackers accessed files containing PHI, third-party forensic investigators were unable to rule out patient data access. Consequently, the incident was reported to the HHS’ Office for Civil Rights as a potential data breach and notification letters have been sent to affected patients. To date, no reports have been received which suggest any patient information has been misused.

Patients have been informed that their name, address, medical history, treatment information, and Social Security number has potentially been compromised. All affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The breach summary on the OCR website indicates up to 25,148 patients have been affected by the incident.

Independent Health Employee Accidentally Emailed PHI of 7,600 Members to Unauthorized Individual

The Amherst, MA-based health plan, Independent Health, has discovered an employee emailed documents containing the PHI of 7,600 members to an individual who was not authorized to view the information.

The information was mistakenly sent to an Independent Health member on March 19, 2019. That individual contacted Independent Health within an hour of the email being received to report the privacy breach and confirm that the message and documents had been deleted.

The documents contained plan member information such as ID numbers, providers seen, dates of service, claim numbers, claim payment information, and medical procedure codes. While no Social Security numbers or financial information were exposed and the risk of identity theft or fraud is believed to be low, all affected individuals have been offered 12 months of complimentary identity theft protection and credit monitoring services. The employee in question has been subjected to disciplinary procedures in line with company policy.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.