Ransomware Attacks Reported by 4 Healthcare Providers
Ransomware attacks have been reported by Canopy Children’s Solutions, the Sleep Management Institute, the Epilepsy Foundation of Metro New York, and Hapy Bear Surgery Center.
Canopy Children’s Solutions
Mississippi Children’s Home Services, Inc., Mississippi Children’s Home Society, and CARES Center, Inc., which do business as Canopy Children’s Solutions, have notified 19,190 individuals about a ransomware attack that was detected on April 4, 2023.
Encrypted files were discovered on its systems and the forensic investigation confirmed that an unknown threat actor accessed certain files on its network and may have exfiltrated some of those files on April 4, 2023. A comprehensive and time-consuming review was conducted to determine the individuals affected and the types of data involved, and that process was completed on October 13, 2023. It then took until March 8, 2024, to review and verify the affected information and obtain up-to-date contact information. Canopy said it was a time-intensive process as, “Canopy has different relationships with the potentially impacted individuals, such an employer, health care provider or educator, that necessitated looking for addresses in several different databases.”
The information exposed varied from individual to individual and may have included names, Social Security numbers, driver’s license numbers, state identification numbers, financial account information, medical information, and health insurance information. Consumer notifications were mailed on April 11, 2024. The breach notice submitted to the Maine Attorney General indicates that 19,190 individuals were affected, including 5 Maine residents.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Sleep Management Institute
The Sleep Management Institute in Cincinnati, OH, has recently announced a ransomware incident that occurred on February 5, 2024. The investigation into the attack is ongoing; however, it has been confirmed that patient data was exposed in the attack. The forensic investigation confirmed that an unauthorized third party had access to its network between January 27, 2024, and February 6, 2024, and may have accessed some or all of the following:
Name, address, date of birth, Social Security Number or taxpayer identification number, driver’s license number or other government-issued identification number, passport number, financial account information, payment card information, username and other credential information, digital signature, biometric data, mother’s maiden name, IRS-issued pin number, clinical or treatment information, medical provider name(s), medical procedure information, health insurance information, prescription information, and any other information on an individual that was created, used, or disclosed in the course of providing health care services.
These types of information were exposed but it has yet to be determined which specific types of information were exposed for each affected individual. Notification letters will be sent to all potentially affected individuals, and in the interim to meet breach reporting requirements, the HHS’ Office for Civil Rights has been told that at least 500 individuals have been affected. The total will be updated when the actual number of affected individuals is known.
Steps taken in response to the incident to improve security include updates to network configurations and firewalls, the deployment of a 24/7 managed detection and response solution, adding content filtering on all devices, installing intrusion prevention systems and advanced malware protection to monitor and prevent malicious network traffic, and implementing a more secure VPN protocol.
The Epilepsy Foundation of Metro New York
The Epilepsy Foundation of Metro New York has fallen victim to a ransomware attack involving unauthorized access/exfiltration of patient data. The forensic investigation confirmed that its electronic medical record system was not accessed in the attack; however, an unauthorized individual gained access to other systems on or around November 8, 2022, although it was not possible to tell if those files containing patient information were accessed.
A review of the affected files was completed on October 12, 2023, and confirmed that they contained information such as names, Social Security numbers, dates of birth, individual medical information, driver’s license or other government IDs, and health insurance information. The breach was reported to the HHS’ Office for Civil Rights on April 8, 2024, and individual notification letters have now been sent. The OCR breach report indicates that 3,852 individuals were affected.
Hapy Bear Surgery Center
Hapy Bear Surgery Center, a pediatric dental clinic in Tulare, CA, has fallen victim to a cyberattack that affected the functionality and availability of some of its IT systems. The attack occurred on December 27, 2023, and the forensic investigation confirmed on March 8, 2024, that the threat actor responsible had access to files that contained patient data.
The review of the affected files was completed on March 19, 2024, and confirmed that full names, addresses, medical information, health insurance information, Social Security numbers, and driver’s license numbers had been exposed. While those types of data were exposed and may have been stolen, Hapy Bear Surgery Center is unaware of any actual or attempted misuse of the data.
In response to the attack, Hapy Bear Surgery Center replaced its firewall systems and engaged a managed cybersecurity services provider to oversee its digital environment. The affected individuals have now been notified and have been offered single bureau credit monitoring/single bureau credit report/single bureau credit score services at no cost. The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is unclear how many people have been affected.
