HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Up to 100,000 Individuals Affected by Cochise Eye and Laser Ransomware Attack

The Sierra Vista, AZ-based ophthalmology and optometry provider Cochise Eye and Laser experienced a ransomware attack on January 13, 2021 that resulted in the encryption of its patient scheduling and billing software.

The attack prevented Cochise Eye and Laser from accessing any data in its scheduling system. Eye care services continued to be provided to patients, with the practice reverting to using paper charts. According to a February 17, 2021 breach notice on its website, paper charts were still in use as the scheduling system remained out of action.

The investigation into the ransomware attack found no evidence to indicate any patient data were exfiltrated prior to the encryption of files; however, data theft could not be ruled out. The types of information potentially accessed by the attackers included names, dates of birth, addresses, phone numbers and, for some individuals, Social Security numbers.

Since the attack, Cochise Eye and Laser has been working on improving the security of its systems and is implementing a new offsite backup system. Efforts to recover the encrypted data are ongoing and patient charts will be used to rebuild its schedules.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The ransomware attack has been reported to the HHS’ Office for Civil Rights as affecting up to 100,000 patients.

Petersburg Medical Center Discovers Insider Privacy Breach

Petersburg Medical Center in Alaska has discovered an employee accessed the medical records of around 200 patients without authorization, when there was no legitimate work reason for doing so. The privacy breach came to light when another employee reported the potential HIPAA violations.

An internal investigation was launched as soon as the unauthorized access was reported, which confirmed medical records had been accessed by the employee over several years. The medical center was satisfied that there have been no further disclosures by the employee and no patient information was removed from the medical center.

Following the discovery of the breach, the medical center took steps to prevent the employee from accessing any further patient records. Following the investigation, the employee was terminated for the HIPAA violation. Steps have since been taken to prevent any further privacy violations at the medical center and a new electronic health record systems is now being implemented which has a module that will flag unauthorized medical record access. All affected individuals have now been notified by mail.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.