HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Ransomware Attacks Reported by Healthcare Providers in Illinois and Rhode Island

A roundup of recent healthcare ransomware attacks, privacy breaches, and security incidents that have been announced in the past few days.

Center for Vitreo-Retinal Diseases Ransomware Attack Impacts 20,371 Patients

The Center for Vitreo-Retinal Diseases in Libertyville, IL, experienced a ransomware attack that resulted in the encryption of data on its servers. The attack was detected on September 18, 2018. The investigation into the breach suggests the attacker may have gained access to the protected health information of 20,371 patients that was stored on the affected servers.

The attack appeared to have been conducted with the intention of extorting money from the practice. While it is possible that patient information was accessed by the attacker, no evidence of unauthorized data access, data theft, or misuse of patient information has been discovered.

The information that was potentially compromised included names, addresses, telephone numbers, birth dates, health insurance information, health data, and the Social Security numbers of Medicare patients.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The Center for Vitreo-Retinal Diseases has since reviewed its security protections and has taken steps to prevent similar security breaches from occurring in the future.

Rhode Island Health Center Experiences Ransomware Attack

Woonsocket, RI-based Thundermist Medical Center experienced a ransomware attack on the evening of Thursday, November 28 which took some of its computer systems out of action. Fast action was taken to secure patient information and unaffected systems were isolated to prevent widespread file encryption.

The health center implemented its emergency protocols and was able to continue providing medical services. There was minimal impact on patients although certain appointments were cancelled out of safety concerns due to the inability to access medical records. Thundermist Medical Center does not believe any patient information was compromised in the attack.

Mailing Error by Vendor of OrthoTexas Physicians and Surgeons Caused Patient Name Disclosure

OrthoTexas Physicians and Surgeons, a network of orthopedic and sports medicine practices in Texas, has discovered an error was made on an October 5, 2018 mass mailing which resulted in the accidental disclosure of patient information to other patients.

The letters were notifications that a physician had joined the practice and would be treating patients at its facilities in Frisco and Plano. The letters, which were incorrectly dated August 27, 2018, were placed in incorrect envelopes by the practice’s mailing vendor.

The mailing was sent to 2,172 patients and resulted in the name of one patient being disclosed to another patient. No other patient information was included in the mailing.

San Mateo Medical Center Discovers Improper Disposal of 500 Patients’ PHI

San Mateo Medical Center in Daly City, CA, has discovered the medical records of up to 500 patients have been accidentally exposed as a result of an improper disposal incident.

The paper records had been left overnight in a box under an employee’s desk and temporary cleaning staff mistook the box for recycling and disposed the documents in a recycling bin that was only intended to be used for non-confidential paperwork. San Mateo Medical Center has separate recycling bins for paperwork containing confidential information which is sent for shredding prior to disposal.

The paperwork relates to patients who visited its Daly City facility on November 5-6 inclusive. Since the documents have not been recovered it was not possible to tell exactly which patients have been affected, and neither the exact information that was recorded on the documents.

San Mateo Medical Center believes the patients affected by the incident have had the following information exposed: Name, birth date, medical record number, service date, patient account number, gender, age, provider or resource name, and insurance code.

San Mateo Medical Center has reinforced its policies on the correct way to dispose of sensitive information and the Daly City clinic manager has instructed staff not to leave confidential information out overnight and to place confidential documents in shredding bins immediately when they are no longer required.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.