aleksandar nakovski - stock.adob

Malware Destroys Data of 30,000 Fondren Orthopedic Patients

A malware incident damaged some Fondren Orthopedic medical records; ransomware, business email compromise, an email gaffe, phishing, and a payroll security incident complete this week’s breach roundup.

Texas-based Fondren Orthopedic Group is notifying 30,049 that their data was destroyed after a malware incident in November.

On November 21, a malware incident damaged some medical records stored in the provider’s system. The provider took steps to restore the system and launched an investigation, which determined there was no evidence the medical or personal data was accessed or exfiltrated during the attack.

However, some patient records were permanently damaged during the cyberattack. The records included patient names, contact details, diagnoses, treatment information, and health insurance data. As a result, patients will need to prepare new patient forms that include medical history, when visiting the provider in the future.

Fondren is currently reviewing data security policies and procedures and bolstering its security protocols.

The notification does not outline whether the malware impacted backups or the type of malware leveraged during the attack. Several providers have reported data loss or destruction in the last year after ransomware incidents, including Ferguson Medical Group.

Further, two providers permanently closed in the spring after ransomware attacks damaged their computer systems: Wood Ranch Medical and Michigan’s Brookside ENT and Hearing Center.

Ransomware Damages Some Manchester Ophthalmology Patient Data

A hacker breached several computers of Manchester Ophthalmology in Connecticut and attempted to launch a ransomware attack. After the incident, the data of 6,846 patients was compromised and could not be restored, as the data was not backed up.

On November 25, employees detected unusual activity on the computer network, and officials said they launched an investigation with help from an outside technology firm. The investigation found the hacker gained access to the network for three days and was attempting to encrypt data with ransomware.

Access was terminated before any data was encrypted. However, some data was not backed up and could not be restored. The compromised data included patient names, treatment data, and medical histories. The hacker did not download the data during the attack.

Manchester has since provided further training to its employees on existing policies and procedures, including addressing proper computer system backups of all information.

VillageCareMAX Reports Business Email Compromise

About 2,645 VillageCareMAX & VillageCare Rehabilitative & Nursing Center managed care plan members are being notified that their data was potentially breached after a security incident.

On December 30, an employee received a suspicious email from an unauthorized individual masquerading as a member of the executive team, asking for information related to plan members. The employee initially believed the request to be legitimate and provided the requested information.

Upon discovering the request was not legitimate, the employee notified leadership and an investigation was launched with help from a third-party forensics specialist. The compromised data included names and Medicaid ID numbers.

VCMAX has assessed the security of its systems and reviewed and enhanced its existing policies and procedures. The incident was also reported to law enforcement.

Email Incident at Lawrenceville Internal Medicine

Lawrenceville Internal Medicine of New Jersey and Endocrinology Associates of Princeton are notifying 8,031 patients of an email error that potentially exposed their email addresses.

Patients were sent a standardized announcement on October 29, and two days later officials said they discovered that other patient email addresses were visible in the BCC line when the announcement was opened.

The email did not include medical data, contact details, or any other personal information. It’s believed just email addresses were potentially viewable by other patients. Officials said they are notifying patients to ensure patients were “aware of resources you may access to help safeguard your personal information.”

The practice’s IT staff has received further privacy and security training, which uses a different system to communicate with patients. Its security policies and procedures relating to email communication have also been strengthened.

Phishing Attack on Phoenix Children’s Hospital

Seven employees of Phoenix Children’s Hospital fell victim to a targeted phishing campaign in September, which potentially breached the data of about 1,860 current and former patients.

The attack lasted for about two weeks between September 5 and September 20. An investigation was launched upon discovery, and officials said they discovered patient health information was contained in the accounts on November 15. The data was potentially viewed or accessed by the hackers.

The compromised data included names, personal data, and limited health information and Social Security numbers for a small number of patients. Those patients will receive a year of free credit monitoring and identity theft protection services.

Meadville Medical Employee Payroll Security Incident

Pennsylvania-based Meadville Medical Center is currently investigating a security incident impacting its employee payroll system, according to local news outlet Meadville Tribune.

The report did not explain when the attack was detected. But upon discovery, officials said they secured the employee payroll computer portal, contacted the FBI, and launched an investigation. Officials are working with a third-party forensics team to determine what information was involved.

Currently, it appears just employee data has been impacted by the incident, including unauthorized access to the personal data of certain employees and their dependents. The investigation has so far found no evidence that patient data has been compromised.

Next Steps

Dig Deeper on Healthcare data breaches