Clarke County Hospital in Osceola, IA, has recently started notifying 28,003 current and former patients about a security breach that exposed some of their protected health information. Suspicious activity was detected within its IT environment and the network was immediately isolated. A third-party digital forensics firm was engaged to investigate the security breach to determine the nature and scope of the incident and confirmed there had been unauthorized access on April 14, 2023, and the parts of the network that were accessed contained patient information.

The electronic medical record system was not compromised, and highly sensitive information such as Social Security numbers, banking information, credit card information, and/or financial information was not accessed. The files potentially viewed or stolen included names, addresses, dates of birth, health insurance information, medical record numbers, and some health information. At the time of issuing notifications, no reports had been received to indicate there had been any actual or attempted misuse of patient data.

Clarke County Hospital said enhancements were immediately made to improve system security and experts have been engaged to conduct a comprehensive review of system security. Security protocols will be further enhanced based on the findings of the review. Complimentary credit monitoring services and identity theft protection services have been offered to all potentially impacted individuals for 12 months and the hospital recommends that all individuals take advantage of those services.

Health Benefit Plan Data Stored on Stolen Laptop

A laptop computer has been stolen from the vehicle of an employee of the Anchorage School District, potentially exposing the protected health information of employees covered by its health benefit plan. The theft occurred on March 15, 2023, and the incident was immediately reported to law enforcement, but the laptop computer has not been recovered.

The school district immediately investigated and confirmed that the laptop computer has not been reconnected to the Internet. A review was conducted to determine if any files had potentially been downloaded to the laptop that could have been accessed. The review identified some files that were maintained for human resources and benefits purposes, which contained names, Social Security numbers, and information related to enrollment in the employee health plan.

Complimentary credit monitoring and identity theft protection services have been offered to the 4,598 employees potentially affected. Further training has been provided to the workforce on the importance of safeguarding sensitive information and portable device security measures are being enhanced.

Henry Mayo Newhall Hospital Discovers Employee Snooped on Medical Records

Henry Mayo Newhall Hospital (Henry Mayo) in Valencia, CA, has discovered an employee has accessed the protected health information of certain patients without a valid business reason for doing so. The privacy breach was detected on May 8, 2023, and notification letters were sent to affected individuals on May 26, 2023.

The investigation confirmed that the employee was able to view patient information such as names, birth dates, medical record numbers, visit numbers, and clinical data such as diagnoses, vital signs, and narrative clinical notes. The employee was interviewed about the unauthorized access and Henry Mayo believes the records were accessed out of curiosity and that no patient information has been further disclosed or misused. The hospital has taken action per its sanctions policy and has taken steps to prevent further privacy breaches in the future, including continuing to counsel and educate staff members.

It is currently unclear how many patients have been affected.

The post 28,000 Clarke County Hospital Patients Affected by April Cyberattack appeared first on HIPAA Journal.

Mountain View Hospital, Idaho Falls Community Hospital, and several clinics in rural Idaho run by the same operator have been affected by a recent cyberattack. The decision was taken to temporarily close one of the clinics – Mountain View RediCare – while the attack is remediated.  All other clinics have remained open but are offering reduced services.

The cyberattack was detected on Memorial Day, and ambulances were diverted to other hospitals as a precaution. The diversion has remained in place through Wednesday and the facilities are still experiencing network issues due to the attack. The hospitals have remained open with staff manually recording patient information while the network is down. A spokesperson for Idaho Falls Community Hospital said patient safety has been the priority and work is continuing around the clock to restore access to computer systems and its systems are cleaned. At this stage, it is not possible to tell how long the recovery process will take and when systems will return to normal operation.

Details about the nature of the attack, such as if ransomware was used, have not been released at this stage, and it is too early to tell the extent to which patient information was involved. The hospital confirmed that the swift action of the IT department to contain the attack has limited the impact and has helped to keep patient data secure.

UI Community Home Care Suffers Ransomware Attack

UI Community Home Care, a subsidiary of the University of Iowa Health System, has recently reported a security incident to the HHS’ Office for Civil Rights that resulted in the exposure and possible theft of the protected health information of 67,897 patients.

The security breach was detected on March 23, 2023, when files were discovered to have been encrypted, preventing access. The forensic investigation confirmed there had been unauthorized access to files on its servers that started on or around March 23, 2023, and some of those files contained patient information. The electronic medical record system is separate from the affected servers and was not accessed in the attack.

The information potentially compromised varied from patient to patient and may have included name in combination with one or more of the following: date of birth, address, phone number, medical record number, referring physician, dates of service, health insurance information, billing and claims information, medical history information, and diagnosis/treatment information. At the time of issuing notifications, UI Community Home Care was unaware of any misuse of patient data. Security oversight efforts have been strengthened in response to the incident to prevent similar events from occurring in the future.

Grant Regional Health Center Notifies Patients About Email Account Compromise

Grant Regional Health Center in Lancaster, WI, has notified 4,135 patients about a breach of an employee email account. The notification letters do not state when the breach was detected but explain that the forensic investigation confirmed that the email account was subjected to unauthorized access between March 20, 2023, and March 24, 2023.

The review of the emails and attachments in the account was completed on May 9, 2023, and confirmed that patient names had been exposed along with one or more of the following data elements: date of birth, financial account information, medical information, health insurance information, Taxpayer ID number, and Social Security number. Grant Regional Health Center said no actual or attempted misuse of patient data has been detected. Email security has been enhanced to prevent similar breaches in the future.

The post Idaho Hospitals Divert Ambulances and Clinic Temporarily Closes Due to Cyberattack appeared first on HIPAA Journal.