Gorodenkoff - stock.adobe.com
KY Hospital Systems Down During Cybersecurity Incident Investigation
Hospital systems and phone lines are down at a Kentucky hospital, and a server misconfiguration resulted in potential PHI exposure in a California county.
Healthcare organizations notified victims of data breaches resulting from cyberattacks, server misconfigurations, and burglaries this week.
As a result, the protected health information (PHI) of many patients could be in jeopardy.
KY Hospital System, Phone Lines Remain Down
Taylor Regional Hospital (TRH) in Campbellsville, Kentucky is facing system and phone line downtime as it investigates a cybersecurity incident. The outages began on January 24 and are ongoing at the time of publication.
“We are working to restore our systems quickly and safely. In the meantime, TRH continues to provide quality care to our patients,” an urgent notice on the hospital’s website stated.
“We appreciate the community's patience and understanding, and we apologize for the inconvenience caused by this event.”
TRH said that patients who are receiving lab draws for outpatient services should expect longer wait times, and routine outpatient labs will only be performed during limited hours. In addition, all patients will be required to ring a written lab order.
The hospital is also unable to schedule COVID testing and will conduct tests on a first-come, first-serve basis. TRH has not yet provided an estimate for when all services may be operational again.
CA County Notifies of Server Misconfiguration, Potential PHI Exposure
County of Kings, California provided notice of a data breach resulting from a server misconfiguration that potentially exposed the PHI of 16,590 individuals.
County of Kings learned that an error made by a third-party contractor resulted in server misconfigurations, causing COVID-19 case information to be available on the internet. The county learned of the misconfiguration on November 24, 2021, but the error had begun on February 15 and was not fixed until December 6.
COVID-19 information provided to the County’s Public Health Department by the California Department of Public Health and County healthcare providers was potentially available on a public web server for months, including names, birth dates, addresses, and COVID-19 information.
County of Kings began notifying impacted individuals on January 21, 2022, and established a dedicated incident response line. The county said it had no reason to believe that any of the information would be misused.
“To help prevent something like this from happening again, County of Kings is taking steps to further protect COVID-19 information,” the notice stated.
MO Hospital Burglary Results in PHI Theft
South City Hospital in Missouri began notifying patients of a data breach that resulted from a burglary, causing potential PHI exposure for over 21,000 individuals.
On November 15, 2021, South City Hospital learned that a burglary had taken place at one of its facilities on November 13 or 14. The hospital determined that a backup imaging server containing patient information was stolen.
The server contained names, Social Security numbers, radiology imaging information, and health insurance information. There is currently no evidence of misuse as a result of the theft but impacted individuals should remain vigilant.
“Information security is among South City Hospital’s highest priorities, and we have strict security measures in place to protect information in our care. Upon becoming aware of this incident, we immediately took steps to investigate, and notified law enforcement,” the notice stated.
“We implemented additional measures and are reviewing existing security policies to further protect against similar incidents moving forward. “
MA Nonprofit Data Breach Impacts 68K
Framingham, Massachusetts-based Advocates, a nonprofit that provides services for people facing autism, brain injuries, addiction, aging, and mental health challenges, began notifying over 68,000 individuals of a data breach that occurred in September 2021.
The breach impacted Advocates employees, as well as adults and minors who received services at Advocates.
On October 1, Advocates was informed that an unauthorized actor had accessed and obtained data from its digital environment over the course of two days in September. After an investigation, Advocates determined that names, addresses, birth dates, Social Security numbers, client identification numbers, health insurance information, and medical treatment information may have been exposed.
“Advocates also notified the Federal Bureau of Investigation and will provide whatever cooperation is necessary to hold the perpetrators accountable, if possible,” the notice stated.
“Advocates takes the security and privacy of service recipient information very seriously and is taking additional steps to prevent a similar event from occurring in the future.”
Advocates began notifying impacted individuals on January 3.