Getty Images/iStockphoto

Lengthy Healthcare Cyberattack Recovery Disrupts MD Department of Health

The Maryland Department of Health just entered month three of the healthcare cyberattack recovery process as data breaches continue to torment healthcare organizations.

The road to healthcare cyberattack recovery is long for the Maryland Department of Health (MDH) as it enters month three of restoring business operations.

Meanwhile, Taylor Regional Hospital (TRH) in Kentucky is in the throes of a weeks-long "cybersecurity incident" that left its phone lines and systems down.

Data breaches continue to burden healthcare organizations, causing protected health information (PHI) exposure, appointment diversions, and EHR downtime.

MDH Still Recovering From December Cyberattack

The Maryland Department of Health first discovered suspicious activity on its networks on December 4, 2021. MDH later confirmed that the incident was the result of a ransomware attack.

In early January, The Washington Post reported ongoing struggles resulting from the ransomware attack that left MDH employees with limited resources and system downtime.

"No one has received communication as to when things will be restored, and people are preparing to operate this way for several months," Patrick Moran, president of AFSCME Maryland Council 3, told The Washington Post in a January 8 article. "None of our members have been told anything."

Since the attack, MDH faced disruptions to its COVID-19 surveillance data and disruptions to the state's Medicaid benefits and healthcare licensing services.

In early February, MDH released a statement outlining its recovery efforts. The department successfully restored its nursing licensure program and processed its backlog of 9,400 online applications. In response to employee grievances about a lack of resources, MDH said it would continue to distribute loaner laptops "on a prioritized basis" so employees can work effectively.

"From the moment this incident was detected, our actions have been balanced by the principles of protecting the systems and data in our care, including the data security of Marylanders, and maintaining the continuity of our business operations," the notice stated.

"We have been and remain committed to updating MDH employees on our evolving restoration efforts."

There is still no set timeline for when all business operations will return to normal, but MDH continues to update its site with the latest recovery information.

Taylor Regional Hospital in Recovery From Cybersecurity Incident

Taylor Regional Hospital in Campbellsville, Kentucky, is still grappling with a data security incident that disabled its phone lines and systems.

The list of available phone lines is slowly growing, but laboratory services will still only be available during limited hours. In addition, patients will need to bring a list of their current medications to all appointments.

TRH's walk-in COVID-19 testing clinic is still only open for two hours per day on a first-come, first-served basis.

"We are working to restore our systems quickly and safely. In the meantime, TRH continues to provide quality care to our patients," the website notice still states.

"We appreciate the community's patience and understanding, and we apologize for the inconvenience caused by this event."

Pace Center for Girls Faces Data Breach

Florida-based Pace Center for Girls reported a data breach to the Office for Civil Rights (OCR) that impacted 18,300 individuals. The nonprofit, which supports prevention, intervention, and diversion services for young women, discovered the data security incident during the week of December 13, 2021.

An investigation revealed that an "intrusion into certain infrastructure systems" in January 2021 resulted in potential data exposure for some of Pace's State of Florida students.

Pace determined that names, addresses, birth dates, phone numbers, Florida Department of Juvenile Justice identification numbers, behavioral health information, parent and guardian names, and enrollment data may have been improperly accessed.

"Pace has and continues to take prompt action to investigate the incident and improve its security, including engaging an outside cybersecurity firm, securing network and physical computer access, and assessing data protection and gateway security systems," the notice explained.

The organization recommended that students and parents monitor credit reports and Explanation of Benefits (EOBs).

Philadelphia Community Health Center Hit by Cyberattack

Philadelphia FIGHT Community Health Centers began notifying 15,000 individuals of a "criminal cyberattack" on November 30, 2021. The organization provides primary care and HIV care to low-income and at-risk Philadelphia residents.

"As soon as we discovered this attack, we disconnected our network from the Internet, stopping the criminal attack, launched an investigation into the nature and scope of the event with the assistance of third-party forensic computer forensics specialists, and reported the crime to law enforcement," a notice on the organization's website stated. 

"We also confirmed, based on available evidence, that this attack did not impact our electronic medical record or other clinical systems."

On January 13, FIGHT confirmed that the threat actor accessed certain non-clinical systems containing protected health information (PHI), including names, Social Security numbers, medical diagnoses, treatment information, health insurance information, and birth dates.

FIGHT could not confirm whether the threat actor accessed or stole any information, and there is currently no evidence of misuse or fraud.

"We deeply regret any inconvenience or concern this event may cause our patients. We are and have always been committed to patient privacy and confidentiality," the notice concluded.

"We are developing and implementing a review and enhancement of our security protocols to help prevent something like this from happening again."

Next Steps

Dig Deeper on Healthcare data breaches