HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Security Breaches Reported by Lavaca Medical Center and Throckmorten County Memorial Hospital

Lavaca Medical Center, a critical access hospital in Hallettsville, TX, has started notifying 48,705 patients about a security breach in which their protected health information was exposed.

Lavaca Medical Center said unusual activity was detected in its computer network on August 22, 2021, indicating a potential cyberattack. Steps were immediately taken to secure its network and a third-party computer forensics firm was engaged to assist with the investigation. The forensic investigators confirmed unauthorized individuals had access to the network between August 17 and August 21.

While no evidence of data theft was uncovered, the possibility that patient data were viewed or exfiltrated could not be ruled out. Affected systems contained names, dates of birth, Social Security numbers, patient account numbers, and medical record numbers. The electronic medical record system was not accessed.

Lavaca Medical Center said it has no reason to believe any patient data were removed from its systems or misused; however, as required by the HIPAA Breach Notification Rule, notification letters have been sent to affected individuals. Out of an abundance of caution, affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Network monitoring tools have now been enhanced and its systems will be regularly audited for unauthorized activity.

Throckmorten County Memorial Hospital Discovers Malware Infection

Throckmorten County Memorial Hospital in Texas has discovered unauthorized individuals gained access to parts of its computer network that contained the personal information of 3,136 employees and patients.

An intrusion was detected on September 7, 2021, which involved unauthorized access to systems and the installation of malware. A forensic investigation determined its network was breached on August 25, 2021, and access remained possible until September 7.

A review of the affected systems confirmed they contained patient information such as first and last name, address, date of birth, gender, date(s) of service, diagnoses, current procedural terminology code, medical condition, medication, and details of hospital visits. Employee data potentially compromised included name, wage history, Social Security number, payroll information, and filing information.

Throckmorten County Memorial Hospital said affected individuals have been offered a complimentary membership to a credit monitoring service and will be protected by an identity theft and fraud insurance policy. Notifications about the security breach were delayed to allow time for the malware to be removed and security to be improved, as providing notifications earlier would have left its network vulnerable to other threat actors.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.