Up to 58,000 Individuals Impacted by Healthcare Fiscal Management Ransomware Attack

Healthcare Fiscal Management Inc. (HFMI), a Wilmington, NC-based provider of self-pay conversion and insurance eligibility services to hospitals, clinics and physician groups, has experienced a ransomware attack in which the personal and protected health information of patients of St. Mary’s Health Care System in Athens, GA may have been accessed or obtained by the attackers.

An unauthorized individual gained access to HFMI systems on April 12, 2020 and deployed a ransomware payload the following day which encrypted data on its systems. The systems accessed by the attacker were found to contain the personal and protected health information of patients who received healthcare services at St. Mary’s between November 2019 and April 2020.

In total, the data of approximately 58,000 patients may have been accessed and obtained by the attackers, although data access/theft could not be confirmed. The PHI stored on the compromised systems was limited to names, dates of birth, Social Security numbers, account numbers, medical record numbers, and dates of service.

HFMI had prepared for such an event and had viable backups that were used to restore data the same day to a different hosting provider and a forensic investigation firm was engaged to investigate the breach. The forensic investigators confirmed the data is not in the possession of the attackers and is not accessible over the internet.

Security experts have been reviewing security controls and, based on their recommendations, steps will be taken to strengthen security. HFMI has offered all affected individuals complimentary credit monitoring and identity theft protection services as a precaution against identity theft and fraud.

Friendship Community Care Phishing Attack Impacts 9,745 Patients

Russellville, AR-based Friendship Community Care (FCC), a nonprofit provider of care for adults and children with disabilities, fell victim to a phishing attack in January 2020.

The breach was discovered on February 4, 2020 when suspicious activity was detected in an employee’s email account. Forensic investigators assisted with the investigation and determined on February 5, 2020 that an unauthorized individual had gained access to the email account, but further investigation revealed several Office 365 email accounts had been compromised using credentials obtained in the phishing attack.

FCC learned on February 7, 2020 that the email accounts contained protected health information. A comprehensive review of the email accounts confirmed that the PHI of 9,745 individuals may have been accessed, although no evidence was found to suggest emails were viewed or obtained by the attacker.

The compromised accounts contained  names, addresses, dates of birth, Social Security numbers, client ID numbers, Medicare IDs/Medicaid IDs, employer ID numbers, patient numbers, medical information, driver’s license numbers, state ID card numbers, student ID numbers, financial account information, mother’s maiden names, birth certificates, marriage certificates, disability codes, and facial photographs.

Affected individuals have been offered complimentary credit monitoring and identity protection services. A review of email security was conducted, and steps are being taken to enhance security to prevent similar breaches in the future.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.