Healthcare Cyberattacks Target 2 TX Hospitals, Expose PHI

Lavaca Medical Center and Throckmorton County Memorial Hospital both suffered cyberattacks that led to PHI exposure.

Two Texas hospitals, Throckmorton County Memorial Hospital and Lavaca Medical Center began notifying patients of recent cyberattacks that exposed protected health information (PHI).

Throckmorton County Memorial Hospital began notifying over 3,000 patients and employees of a September 7 cyberattack that led to significant EHR downtime. Bad actors gained access to the hospital’s IT network and deployed malware. New patients as of September 8 were not impacted by the incident.

The cyberattack may have exposed names, addresses, birth dates, genders, diagnoses, medication information, and details of hospital visits for some patients. In addition, some payroll information, wage history, Social Security numbers, and tax filing information of employees were impacted.

Impacted patients and employees will receive a letter with information about safeguarding their personal information, and all impacted individuals are eligible for a free online credit monitoring services and fraud insurance.

“We are saddened and frustrated by this incident. Caring for our patients during medically challenging times in their life is very important to our mission,” Kirby Gober, the hospital’s CEO, explained in the notice.  

“We apologize to our patients and employees for any concern this incident may create, and we will do our best to correct the situation and help them through necessary steps to ensure their safety.”

Around the same time, Lavaca Medical Center in Hallettsville, Texas began notifying 48,705 patients that their PHI may have been exposed in a separate cyberattack. Lavaca discovered unusual activity on August 22 and immediately began an investigation with the help of a computer forensic firm.

The investigation revealed that an unauthorized actor accessed the medical center’s system between August 17 and August 22. Lavaca was unable to determine whether the unauthorized individual accessed any information, but patient names, birth dates, Social Security numbers, and medical record or patient account numbers may have been viewed.

The medical center’s EHR system was not impacted, and Lavaca said it has no reason to believe that any patient information was taken or misused. As a precautionary measure, Lavaca is offering complimentary credit monitoring and identity protection services.

“We take this issue very seriously and are committed to taking steps to help prevent something like this from happening again, including implementing enhanced network monitoring tools and continuing to regularly audit our systems for any unauthorized activity,” the medical center’s statement explained.

Despite an increase in healthcare cyberattacks since the onset of the pandemic, recent research found that almost half of surveyed healthcare organizations have not implemented an incident response plan. Only 33 percent of survey respondents reported performing regular vulnerability assessments, and 48 percent of respondents said they undergo regular infrastructure auditing.

Healthcare organizations must combat a variety of cyber vulnerabilities in today’s threat landscape, including ransomware, phishing, and spoofing. It is crucial to continually conduct risk assessments, implement technical safeguards, and educate employees on cyber hygiene in order to mitigate risk and protect patient and employee data.

Next Steps

Dig Deeper on Healthcare data breaches