Getty Images/iStockphoto

Hospital Ransomware Attack in Las Vegas Exposes PII

University Medical Center of Southern Nevada fell victim to a hospital ransomware attack claimed by hacker group REvil that exposed PII.

University Medical Center of Southern Nevada announced Tuesday that it fell victim to a hospital ransomware attack that exposed personally identifiable information (PII). The attack was claimed by the REvil hacker group.

REvil gained access to images of passports, Social Security cards, and driver’s licenses of less than a dozen victims during the data breach and posted them online on Monday. The case is still under investigation. REvil claimed responsibility for numerous high-profile cyberattacks in the past, including an attack on an Apple supplier where they stole schematics for new products and demanded a $50 million ransom, according to CNBC.

In a statement obtained by the Las Vegas Review-Journal, the hospital wrote: “This type of attack has become increasingly common in the [healthcare] industry, with hospitals across the world experiencing similar situations.”

“There is no evidence that any clinical systems were accessed during the attack. UMC continues to work alongside the Las Vegas Metropolitan Police Department, the FBI, and cyber security experts to determine the exact origin and scope of the attack.”

The ransomware attack did not impact patient care, and there were no delays in clinical operations. The hospital plans to notify patients and employees about the potential risk to their PII. In addition, the medical center will offer free access to credit monitoring and identity protection services.

Renown Health in Nevada also announced a data breach recently, connected to its business associate Elekta. Elekta’s breach exposed protected health information (PHI) from over 40 health systems across the country.

In addition, Hoya Optical Labs notified US customers of a ransomware attack that occurred in early April and exposed Social Security numbers and bank account information. Unrelated to a ransomware attack, UofL Health in Kentucky recently sent notification letters to over 40,000 patients explaining that their PHI was accidentally sent to the wrong email address.

Next Steps

Dig Deeper on Healthcare data breaches