HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Ransomware Attacks Reported by Stockdale Radiology and Affordacare Urgent Care Clinics

Stockdale Radiology in California has announced that patient data has been compromised as a result of a ransomware attack on January 17, 2020.

An internal investigation confirmed that the attackers gained access to patients’ first and last names, addresses, refund logs, and personal health information, including doctor’s notes. Stockdale Radiology said a limited number of patient files were publicly exposed by the attackers.  Stockdale Radiology also discovered on January 29, 2020, that further patient information may have been accessed, but has not been publicly disclosed.

Systems were immediately shut down to prevent any further unauthorized data access and a third-party computer forensics firm was engaged to investigate the breach and determine how access was gained and who was affected. The FBI was immediately notified about the attack and arrived at Stockdale Radiology within 30 minutes. The FBI investigation into the breach is ongoing.

In response the attack, Stockdale Radiology has conducted a review of internal data management and its security protocols and has taken steps to enhance cybersecurity to prevent further attacks in the future.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

According to the breach report on the HHS’ Office for Civil Rights website, 10,700 patients were affected by the breach.

Affordacare Urgent Care Clinics Suffer Ransomware Attack

Abilene, TX-based Affordacare Urgent Care Clinics has started notifying patients that some of their protected health information may have been compromised as a result of a ransomware attack. The attack was discovered on February 4, 2020 and is believed to have started on or around February 1, 2020.

An analysis of the breach revealed the attackers gained access to its servers and deployed Maze ransomware. Prior to deploying the ransomware, the attackers downloaded patient information. Some of that data has been publicly exposed.

The types of data on the compromised servers included names, addresses, telephone numbers, ages, dates of birth, visit dates, visit locations, reasons for visits, health insurance provider names, health insurance policy numbers, insurance group numbers, treatment codes and descriptions, and healthcare provider comments.  No financial information, electronic health records, or Social Security numbers were compromised.

57,411 individuals have been affected by the breach. Those individuals have been offered complimentary credit monitoring, identity theft protection, and identity recovery services.

Improper Disposal Incident Reported by Georgia Department of Human Services

The Georgia Department of Human Services has announced that staff in Augusta, GA improperly disposed of boxes of confidential case files containing the records of individuals who received services from the Division of Family & Children Services (DFCS) before June 12, 2017 and individuals who received services from the Division of Aging Services (DAS) before 2017.

After being alerted to the incident, immediate action was taken to recover the boxes to prevent them from being accessed by unauthorized individuals. The Georgia Department of Human Services does not believe the files were accessed by unauthorized individuals during the time the files were left unprotected. All affected patients are being notified about the breach and policies and procedures are being reviewed to prevent similar incidents in the future.

According to the breach summary on the HHS’ Office for Civil Rights breach portal, the files contained the records of up to 500 individuals.

Email Error at NeoGenomics Impacts 911 Patients

NeoGenomics is alerting 911 patients that some of their PHI has been accidentally disclosed to an unauthorized individual.

On January 28, an employee was communicating with a patient about completing and returning a form to NeoGenomics and accidentally attached and sent the wrong Excel spreadsheet. The spreadsheet sent to the patient included data of patients who had laboratory tests performed between January 2018 and October 2019.

The spreadsheet contained patients’ first and last names, dates of birth, and the name of the tests performed by NeoGenomics. The results of the tests were not included in the spreadsheet and no other information was impermissibly disclosed. The error was reported to NeoGenomics by the patient, who confirmed in writing that the spreadsheet has been deleted.

Out of an abundance of caution, NeoGenomics has offered affected individuals complimentary credit monitoring services. NeoGenomics reports that the individual who made the error has been retrained and the workforce has been instructed to check documents and spreadsheets to ensure they are correct before being sent via email.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.