Getty Images/iStockphoto

100K Patients Impacted by Cochise Eye and Laser Ransomware Attack

Cochise Eye and Laser has continued under EHR downtime after a ransomware hit in mid-January; more ransomware incidents and an email hack complete this week’s breach roundup.

Arizona-based Cochise Eye and Laser recently notified 100,000 patients that their data was potentially compromised or deleted after a ransomware attack on January 13. The provider operates three sites that include two optometrist offices and a medical and surgical office.

The ransomware encrypted data on its patient scheduling and billing software. The investigation did not find evidence that the data was taken.

However, some information was deleted during the security incident, which rendered it impossible to access any data in the scheduling system. The impacted data could include patient names, dates of birth, contact details, and some Social Security numbers stored within the billing software.

A month after the attack, the provider continued to operate under EHR downtime procedures, including the use of paper charts to maintain patient care. Officials said they’ve called all patients seen after January 1, 2021 to reschedule follow-up appointments, as they were unable to determine when the appointments were originally scheduled.

Cochise Eye and Laser are continuing to work on data recovery processes, while building a new offsite backup database. Officials said they also intend to implement additional security measures.

Summit Behavioral Health Email Hack

Summit Behavioral Healthcare (SBHC) is notifying an undisclosed number of current and former patients that a hack of two employee email accounts may have led to a breach of their personal and protected health information.

The hack was first discovered in early May 2020, which prompted the launch of an investigation into certain email accounts with assistance from a third-party digital forensics firm. Officials determined that two employee email accounts were subject to unauthorized access.

The investigation concluded in January 2021 that patient information was contained in the compromised accounts. The impacted data varied by patient and could include SSNs, diagnoses, symptoms, treatments, prescriptions, health insurance numbers, medical histories, financial account information, Medicare or Medicaid IDs, and provider information.

Given the time lapse between the discovery of the breach and the notification, it’s critical to point out that HIPAA requires data breaches to be reported within 60 days of discovery -- not at the close of an investigation.

St. Margaret’s Health–Spring Valley Recovers from Ransomware

A ransomware attack on St. Margaret’s Health–Spring Valley in late February drove the Illinois provider into EHR downtime procedures, according to local news outlet Shaw Media News Tribune.

Discovered on February 22, hospital officials are unsure of how hackers got into the system. The IT department identified the systems breach and completely shut down the enterprise computer network to stop the spread, including all web-based operating systems, such as email and the patient portal.

St. Margaret’s had previously implemented and practiced computer downtime procedures, which allowed patient care to continue without interruption. However, diagnostic imaging procedures were diverted to another hospital branch to ensure accuracy of scans.

The hospital contracted with an outside cybersecurity team to identify the scope of the incident and assess the state of the system. No update has been provided thus far, as officials were unsure of the timeline for full system recovery.

On average, ransomware attacks cause about 15 days of EHR downtime. However, some recent incidents have lasted for more than a month. Two prime examples were the ransomware attacks on the University of Vermont Health Network and Universal Health Services.

The UHS attack impacted all 400 of its US care sites and caused three weeks of downtime, with a total of $67 million in recovery efforts and lost revenue. The UVM incident lasted for more than a month and even required assistance from the US Army National Guard’s Cyber Response Team.

AllyAlign Reports Breach Impacting 33,932 Patients

AllyAlign Health, recently notified at least 33,932 patients that their data was likely compromised due to a ransomware attack in 2020. The Virginia-based medical plan administrator provides services to about 45,000 individuals across 20 different states.

The incident was reported to the Department of Health and Human Services as impacting 33,932 patients from Virginia. It’s unclear whether patients from other states were also impacted by the event.

A hacker gained access to the network and installed the ransomware. The notice does not detail when the breach began, but officials said they detected the unauthorized third-party intrusion in November 2020.

The compromised system contained patient data, such as names, dates of birth, SSNs, contact details, Medicare health insurance claim numbers and beneficiary identifiers, claims histories, health insurance policy numbers, and Council for Affordable Quality Healthcare credentialing information, among other sensitive information.

Next Steps

Dig Deeper on Healthcare data breaches