HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Southern Ohio Medical Center Diverts Ambulances Due to Cyberattack

Southern Ohio Medical Center (SOMC) in Portsmouth, OH, is recovering from a cyberattack that occurred on the morning of Thursday, November 11, 2021. The attack forced the hospital to go on diversion and direct ambulances to other healthcare facilities. The hospital also had to cancel some appointments and outpatient services.

“This morning, an unauthorized third-party gained access to SOMC’s computer servers in what appears to be a targeted cyberattack. We are working with federal law enforcement and Internet security firms to investigate this incident” explained SOMC in a Facebook post on Thursday. “Patient care and safety remain our top priority as we work to resolve this situation as quickly as possible. While this does not impact our ability to provide care to current inpatients, we are presently diverting ambulances to other hospitals.”

The 248-bed not-for-profit hospital came off diversion on Friday morning, although it has not yet been able to return to full operations. Law enforcement has been informed and a third-party cybersecurity company has been engaged to investigate the breach and determine the nature and scope of the attack.

The attack took its electronic medical record system offline, with staff forced to revert to pen and paper to record patient information. Outpatient medical imaging, cancer care services, cardiovascular testing, cardiac catheterization, sleep lab, and outpatient surgery and rehab have all experienced disruption due to the lack of access to computer systems and data.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.


SOMC explained in its breach notification letters to patients that the forensic investigation determined that certain systems were accessed by unauthorized individuals between November 10 and November 11, 2022. A review of the files on the network was completed on March 4, 2022, which confirmed the following types of protected health information had potentially been compromised: names, Social Security numbers, treatment or diagnosis information, health insurance information, birth dates, passport numbers, U.S. Alien registration numbers, and employer ID numbers. Contact information then had to be verified for the affected individuals and that process was completed on March 21, 2022.

SOMC said it has reviewed its existing systems and policies and has implemented additional safeguards to further secure patient information. Notification letters have been sent to affected individuals, who have been offered 24 months of complimentary identity monitoring services.

The breach was reported to the HHS’ Office for Civil Rights as affecting 15,136 individuals.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.