HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Ransomware Gangs Claim Three More Healthcare Victims

PeakTPA, a St. Louis, MO-based provider of health plan management and back-office services, has announced it suffered a cyberattack on or around December 28, 2020 in which protected health information was stolen.

The security incident was detected on December 31 and involved two cloud servers used by the company to manage program of all-inclusive care for the Elderly (PACE) claims.  According to the breach report submitted to the HHS’ Office for Civil Rights, the PHI of up to 50,000 individuals was stolen or exposed.

An investigation into the attack confirmed the attackers obtained full names, home addresses, dates of birth, Social Security numbers, PACE program IDs, and diagnosis and treatment information.

Affected individuals have been notified and offered complimentary membership to credit monitoring, fraud consultation, and identity theft restoration services via Kroll.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

St. Bernard’s Total Life Healthcare, Inc., which provides PACE in Northeast Arkansas, and Rocky Mountain Health Care Services in Colorado Springs have confirmed that 528 of their patients have been impacted by the attack and Harbor Health Services in Massachusetts has reported the breach as affecting 901 patients.

92,000 Individuals Affected by Preferred Home Care of New York Ransomware Attack

Preferred Home Care of New York, a Brooklyn, NY-based provider of in-home care services, experienced a ransomware attack on January 8, 2020 in which patient data was stolen. The attack was detected the following day. According to databreaches.net, samples of data stolen in the attack were uploaded to the Sodinokibi (REvil) data leak site in January.

External counsel for Preferred Home Care of New York explained in a data breach notification that the types of data obtained by the gang varied from individual to individual and may have included names, addresses, email addresses, phone numbers, dates of birth, financial information such as bank account numbers, Social Security numbers and medical information related to health assessments, physicals, drug screens, vaccinations, and TB tests, as well as FMLA and worker’s compensation claims.

92,283 individuals have been notified and complimentary credit monitoring and identity theft protection services have been offered to breach victims.

Newberry County Memorial Hospital Suffers Ransomware Attack

Newberry County Memorial Hospital in South Carolina has announced it suffered a ransomware attack in February that took certain servers out of action, forcing the hospital to switch to manual procedures while the attack was mitigated. The hospital had a full backup of its data and systems and was able to restore all encrypted data without paying the ransom.

The investigation into the attack is ongoing and no evidence has been found of unauthorized data access or data exfiltration to date. The hospital has since taken steps to improve security to prevent similar attacks in the future.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.