Getty Images

Jackson Hospital Suffers Patient Data Exfiltration Incident

Recent data breaches included data exfiltration at Florida-based Jackson Hospital and improper PHI access by an employee at Michigan Medicine.

Data exfiltration and improper protected health information (PHI) access were the cause of some recent healthcare data breaches.

As data breaches continue to overwhelm the healthcare sector, organizations must prioritize cybersecurity by implementing technical safeguards and communicating cyber risks to the C-suite.

Jackson Hospital Subject to Data Exfiltration

Jackson Hospital in Florida said it discovered suspicious network activity on January 9, 2022. The Jackson County hospital immediately engaged third-party experts to launch an investigation. On January 11, investigators confirmed that an unknown actor accessed Jackson Hospital’s systems and “took certain, limited data.”

“Jackson Hospital took immediate steps to contain the threat and enable hospital operations, including services to our patients, to continue uninterrupted,” a notice on its website stated. 

“We simultaneously launched a full investigation designed to understand the nature and scope of what occurred, what information was stored on impacted systems at the time of the incident, and to whom that information relates. The investigation remains ongoing at this time.”

The unauthorized actor may have accessed or taken addresses, birth dates, Social Security numbers, medical history, contact information, treatment information, diagnosis codes, Medicare and Medicaid numbers, and financial account information.

It is unclear how many individuals were impacted by the breach. Jackson Hospital said it was enhancing its security procedures to reduce risk.

“Although Jackson Hospital is unaware of the misuse of any personal information impacted by this incident, individuals are encouraged to remain vigilant against incidents of identity theft by reviewing account statements and explanations of benefits for unusual activity,” the notice continued.

“Any suspicious activity should be reported to the appropriate insurance company, health care provider, or financial institution.”

Morley Companies Breach Impacts 521K

Third-party business associate Morley Companies reported a healthcare data breach that impacted over 521,000 individuals, making it one of the largest healthcare data breaches reported to HHS in 2022 so far.

The breach began on August 1, 2021, but Morley said it only started sending notices to impacted individuals on February 1. Although this delay would typically constitute a HIPAA Breach Notification Rule violation, Morley explained that it delayed notification in order to obtain contact information.

Names, Social Security numbers, client identification numbers, medical treatment information, health insurance information, and birth dates were involved in the incident.

It is unclear whether the incident involved ransomware, but Morley’s notice said that its “data became unavailable” and that “additional data may have been obtained from its digital environment.

“Morley has taken steps in response to this incident and has made alterations to its cyber environment to help prevent similar incidents from occurring in the future,” the notice continued.

The company provided victims whose Social Security numbers were impacted with complimentary credit monitoring and identity theft protection services.

Improper Employee Access Leads to Breach at Michigan Medicine

Michigan Medicine notified a small number of patients of a data security incident involving a recently hired employee who accessed medical records without a legitimate business need between December 1, 2021, and January 25, 2022.

“The individual is part of and has close ties with the local Korean community and accessed records of patients that he knows from this local network,” a notice on Michigan Medicine’s website stated.

An investigation determined that “the individual’s actions were solely out of curiosity,” the notice said.

The employee, who has since been terminated, viewed clinical and demographic information, including diagnosis and treatment information.

“We take our responsibility to safeguard personal information very seriously,” Michigan Medicine concluded.

“We continue to educate our entire workforce on the importance of following our patient privacy policies and reinforce that these types of actions are not acceptable and require disciplinary measures, up to and including termination.”

Next Steps

Dig Deeper on Healthcare data breaches