Ransomware Attacks Reported by TriValley Primary Care and Medsurant Health

On October 11, 2021, Perkasie, PA-based TriValley Primary Care discovered ransomware had been installed on its networks and servers, which contained the protected health information of some of its patients. Action was quickly taken to secure its systems and prevent further unauthorized access and third-party cybersecurity experts were engaged to assist with the investigation.

The forensic investigation concluded on November 4, 2021, but it was not possible to tell exactly when unauthorized individuals first gained access to its systems nor whether any specific patient information was viewed or obtained by the attackers. At the time of issuing notification letters to affected individuals, TriValley Primary Care was unaware of any actual or attempted misuse of patient data.

As a precaution against identity theft and fraud, all affected individuals have been offered complimentary credit monitoring and identity theft protection services. TriValley Primary Care said it has taken action to prevent further security breaches, including implementing additional technical safeguards, strengthening its existing cybersecurity infrastructure, and providing further security awareness training to the workforce.  External cybersecurity consultants have been engaged to assist with improving its policies, procedures, and protocols to further strengthen its security posture.

The breach was reported to the HHS’ Office for Civil Rights as affecting 57,468 patients.

45,000 Individuals Affected by Medsurant Health Ransomware Attack

Pennsylvania-based Medsurant Holdings has reported a ransomware attack to the HHS’ Office for Civil Rights that has affected up to 45,000 Medsurant Health patients.

Medsurant said it received an email from the attacker on September 30, 2021, stating sensitive data had been accessed and exfiltrated from its systems. An investigation was launched to determine whether files had been subjected to unauthorized access and to determine if the claims of data theft were true. According to the notice on the Medsurant website, the investigation confirmed the threat actor had access to its systems between September 23 and November 12. Some files on its systems were encrypted in the attack, but they have successfully been restored.

A review is currently being conducted to determine which files were accessed and stolen and to identify all affected patients. Notification letters will be sent to affected individuals when the review is complete and once contact information has been verified.

At this stage, the types of information believed to have been stolen include full names, addresses, diagnoses, medical conditions, dates of birth, claims information, and Social Security numbers. Medsurant is unaware of any attempted or actual misuse of patient data at the time of publishing the notice.

Existing policies and procedures are being reviewed and will be updated as necessary and further technical and administrative safeguards will be implemented to better protect the information stored in its systems.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.