Ransomware Attacks Reported by Monterey Health Center and Magnolia Pediatrics
Monterey Health Center in Milwaukie, OR, has experienced a ransomware attack that encrypted its electronic medical records system. The attack commenced on August 12, 2019 and prevented patient data from being accessed.
Assisted by a third-party vendor, the health center successfully restored all patient data quickly and was able to continue providing care to its patients. It is unclear whether the medical records were restored from backups or if the ransom demand was paid.
Third party forensic investigators were retained to investigate the attack and determine whether patient data had been copied by the attackers. The investigation found no evidence of data exfiltration, although unauthorized data access could not be totally ruled out. To date, no reports have been received about any misuse of patient information.
The following information was potentially compromised: Names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical histories, diagnoses, lab test results, treatment information, medications, health insurance information, claims information, and financial account information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
All individuals affected by the breach have been notified and steps have been taken to improve security. The health center will continue to work with third-party experts to ensure its systems remain secure and patients’ health and personal information is protected from unauthorized access.
Ransomware Attack Impacts Magnolia Pediatrics Patients
Magnolia Pediatrics in Prairieville, LA, experienced a ransomware attack on August 23, 2019 that resulted in the encryption of files containing patients’ protected health information.
Assisted by a third-party computer forensics firm, the pediatric practice determined that patient information had not been removed from its systems during the attack. While data theft is not suspected, unauthorized data access and/or data theft could not be totally ruled out.
The encrypted computer system contained patient data such as names, addresses, telephone numbers, medical record numbers, Social Security numbers, clinical information, diagnoses, lab test results, diagnoses, medications, medical histories, insurance information, treating physicians’ names, and dates of service.
The incident has been reported to the Federal Bureau of Investigations and the FBI investigation of the attack is ongoing. Steps are being taken to improve security to prevent similar attacks in the future and all affected patients have now been notified.
The breach summary on the HHS’ Office for Civil Rights website shows 11,100 patients have been affected by the breach.
