LuckyStep - stock.adobe.com
Maryland Hospital Reveals 30K Individuals Impacted by Ransomware Attack
Atlantic General Hospital disclosed that a January ransomware attack tied to reported IT outages also potentially impacted the PHI of over 30,000 patients.
Atlantic General Hospital has notified 30,704 patients of a ransomware attack that potentially compromised protected health information (PHI), a notice provided to the Maine Attorney General’s Office stated.
In late January, encrypted files were discovered during a ransomware attack, leading to network outages at the hospital, as previously reported. While there was limited patient disruption, the hospital's website indicated temporary closures of certain services, such as outpatient imaging services, walk-in lab services, and AGHRx RediScripts.
The Maryland hospital promptly launched an investigation with the help of a third-party computer forensics firm to determine the extent and nature of the incident.
“Upon discovering the event, AGH moved quickly to investigate and respond to the incident, assess the security of AGH systems, and identify potentially affected individuals. Further, AGH notified federal law enforcement regarding the event,” the notice stated.
The investigation revealed that there was unauthorized access to specific servers and files at AGH. On March 6, 2023, Atlantic General Hospital concluded that sensitive information, including name, Social Security number, financial account information, medical record number, treating/referring physician, and health insurance information, were contained in the impacted files.
The hospital has advised patients to remain vigilant of account statements and credit reports for any suspicious activity or errors. Atlantic General Hospital has also offered 12-month credit monitoring and identity protection services through IDX.
California DHCS Discloses Data Breach Tied to Mailing Error
A recent data breach caused by a mailing error potentially affected up to 6,460 members of Medi-Cal, exposing their PHI, according to the California Department of Health Care Services (DHCS).
DHCS found that a mailing error involving subcontractor Advanced Image Direct (AID) acting on behalf of the Office of State Publishing (OSP) led to a confusion of IRS Form 1095-B, which contained personal information belonging to the incorrect recipient.
The incident affected MediCal members who met certain minimum essential coverage requirements. DHCS learned of the error on January 12, 2023, after a Medi-Cal member reported it. An internal review revealed an equipment malfunction caused the mistake, which AID corrected but subsequently mistakenly disposed of the corrected records and distributed the incorrect ones.
After discovering the incident, OSP halted printing and mailing operations and investigated AID to prevent future errors. The investigation revealed a likely impact on 250 records, with a maximum possible impact on 6,460 records, and OSP attempted to retrieve the misdirected mailings. AID will take corrective action by implementing more stringent quality controls, including logging all printing system restarts, assigning a quality control person to review and approve materials after each restart, and conducting a quality check every 30 minutes or 5,000 pieces.
“The protection of private information is a top priority for DHCS,” said DHCS Director Michelle Baass. “We take any breach of personal health information seriously, and we deeply regret any inconvenience or problem this may cause. We have increased our efforts to ensure all personal information is appropriately protected.”
Health Plan of San Mateo Notifies 11K of Data Breach
CA-based Health Plan of San Mateo (HPSM) has recently notified 11,894 individuals of a data breach within its email environment.
It was discovered on January 17, 2023, that an unauthorized party had gained access to an employee’s email account through a successful phishing attack.
“With the assistance of a cybersecurity firm, HPSM determined that an unauthorized person gained access to one email account on January 17, 2023,” HPSM reported.
“The evidence suggests that this was an attempt to fraudulently change the employee’s direct deposit information — and not to access personal or plan member information,” HPSM continued. “However, because HPSM could not rule out the possibility that member information may have been viewed, they reviewed all emails and attachments in the mailbox.”
The email account contained a spreadsheet with names, birth dates, member identification numbers, and limited information about calls made to the nurse advice line. To prevent future incidents, additional security measures have been implemented, and employees have received further training on identifying phishing attempts.