Singing River Health System: 895,000 Individuals Affected by August 2023 Ransomware Attack
Singing River Health System in Mississippi suffered a Rhysida ransomware attack in August 2023, which was initially reported to the HHS’ Office for Civil Rights as affecting 501 individuals, as the number of affected individuals had yet to be determined. In December 2023, the total was revised to 252,890 individuals; however, the data breach has turned out to be much worse than previously thought. In a recent notification to the Maine Attorney General, Singing River Health System provided a revised victim count of 895,204 individuals. Click for further information.
“SMEs like Singing River Health System are the most vulnerable to cyber-attacks. Unlike large enterprises with massive cybersecurity budgets and dedicated cybersecurity teams, SMEs are exposed to the same threats with a fraction of the resources,” Dror Liwer, co-founder of cybersecurity company Coro told The HIPAA Journal. “In a recent study we conducted with 500 SME cybersecurity professionals, 73% said they missed or ignored critical alerts. That’s not because they don’t want to do their jobs, but because they are in an impossible position of having to work with tools that were designed for the enterprise that consume too much of their time, leaving them with no time to do actual protection work.”
Redwood Coast Regional Center Confirms PHI Compromised in March 2024 Cyberattack
Redwood Coast Regional Center, a Ukiah, CA-based social services organization that provides services and support to children and adults with developmental disabilities, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected at least 500 individuals. 500 is a placeholder commonly used when reporting a data breach to OCR to meet the 60-day reporting deadline of the HIPAA Breach Notification Rule when the total number of affected individuals is yet to be established.
Unusual activity was detected within its computer network on March 6, 2024, and assisted by third-party cybersecurity specialists, it was determined that there was unauthorized access to its network, including files containing patient data. The types of data accessed or obtained in the attack varied from individual to individual and may have included names in combination with one or more of the following: address, phone number, email address, date of birth, Social Security Number, driver’s license/state ID number, financial account information, treatment/diagnosis information, prescription information, provider name, medical record/case number, Medicare/Medicaid ID number, health insurance information, and/or treatment cost information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The investigation into the incident is still ongoing and notification letters will be mailed to the affected individuals as the investigation progresses. Complimentary credit monitoring and identity theft protection services are being offered to the affected individuals and cybersecurity specialists have helped with the implementation of additional security measures to prevent similar incidents in the future.
