Share this article on:
The Sierra Vista, AZ-based ophthalmology and optometry provider Cochise Eye and Laser experienced a ransomware attack on January 13, 2021 that resulted in the encryption of its patient scheduling and billing software.
The attack prevented Cochise Eye and Laser from accessing any data in its scheduling system. Eye care services continued to be provided to patients, with the practice reverting to using paper charts. According to a February 17, 2021 breach notice on its website, paper charts were still in use as the scheduling system remained out of action.
The investigation into the ransomware attack found no evidence to indicate any patient data were exfiltrated prior to the encryption of files; however, data theft could not be ruled out. The types of information potentially accessed by the attackers included names, dates of birth, addresses, phone numbers and, for some individuals, Social Security numbers.
Since the attack, Cochise Eye and Laser has been working on improving the security of its systems and is implementing a new offsite backup system. Efforts to recover the encrypted data are ongoing and patient charts will be used to rebuild its schedules.
The ransomware attack has been reported to the HHS’ Office for Civil Rights as affecting up to 100,000 patients.
Petersburg Medical Center Discovers Insider Privacy Breach
Petersburg Medical Center in Alaska has discovered an employee accessed the medical records of around 200 patients without authorization, when there was no legitimate work reason for doing so. The privacy breach came to light when another employee reported the potential HIPAA violations.
An internal investigation was launched as soon as the unauthorized access was reported, which confirmed medical records had been accessed by the employee over several years. The medical center was satisfied that there have been no further disclosures by the employee and no patient information was removed from the medical center.
Following the discovery of the breach, the medical center took steps to prevent the employee from accessing any further patient records. Following the investigation, the employee was terminated for the HIPAA violation. Steps have since been taken to prevent any further privacy violations at the medical center and a new electronic health record systems is now being implemented which has a module that will flag unauthorized medical record access. All affected individuals have now been notified by mail.