UF Health Says PHI Potentially Compromised in May 2021 Cyberattack

On May 31, 2021, UF Health Central Florida experienced a cyberattack that affected Leesburg Hospital and The Villages Hospital. The security breach was announced by UF Health within a few hours of the attack being detected, although at the time it was unclear whether any patient data had been compromised in the incident.

An investigation into the breach was conducted which determined the attackers had access to its computer network between May 29 and May 31, 2021, and while unauthorized access to patient data was not confirmed, UF Health has now reported that some patient data may have been accessible. The exposed data included names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers and patient account numbers, and limited treatment information.

UF Health said its electronic medical records were not involved or accessed, and the breach did not affect its Gainesville or Jacksonville campuses. UF Health said it has no reason to believe any exposed data has been misused or disclosed; however, as a precaution against identity theft and fraud, affected individuals are being offered complimentary credit monitoring and identity theft protection services. UF Health said it is taking steps to prevent further attacks, including enhancing the security of its electronic systems and improving protections for sensitive data.

UF Health has not publicly disclosed whether the cyberattack involved ransomware, although some local media outlets have reported ransomware was involved and the attackers demanded a $5 million ransom.

The breach report summited to the Department of Health and Human Services’ Office for Civil Rights shows 700,981 individuals have been affected.

Eskenazi Health Reports Attempted Ransomware Attack

Indianapolis, IN-based Eskenazi Health is dealing with an attempted ransomware attack. The attack occurred in the early hours of August 4, 2021 but Eskenazi Health said its monitoring systems functioned as they should and proactively shut down its network to contain the attack.

Eskenazi Health switched to emergency procedures and the decision was taken to divert ambulances to other facilities to ensure patient safety. Eskenazi Health is currently working to bring its systems back online. At this stage its monitoring systems suggest patient and employee data were not compromised in the attack.

Sandford Health Victim of Cyberattack

Sioux Falls, SD-based Sandford Health says it was the victim of an August 3, 2021 cyberattack which it is working to resolve.  Sanford President and CEO Bill Gassen confirmed its IT Team took aggressive measures in response to the attempted cyberattack and everything is being done to minimize disruption and providing exceptional care to patients remains its number one priority.

No further details have been released about the exact nature of the incident, but at this stage it does not appear that the information of patients, residents, or employees has been compromised. Leading IT security experts have been engaged and are assisting with the breach response and investigation and further information will be released as and when it becomes available.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.