IL, KY, and TN Healthcare Orgs Recovering from Recent Cyberattacks

Posted by Steve Alder

Morris Hospital & Healthcare Centers Investigating Royal Ransomware Attack

Morris Hospital & Healthcare Centers in Illinois has launched an investigation into a cyberattack that the Royal ransomware group has claimed responsibility for. Third-party forensics experts have been engaged to investigate the breach and determine the extent to which patient information was involved. While the investigation is still in the early stages, Morris Hospital & Healthcare Centers has confirmed that its electronic medical record system was unaffected; however, patient data was stored in the network that was compromised in the attack.

Morris Hospital & Healthcare Centers said it had implemented multiple security measures prior to the attack and that these were instrumental in limiting the severity of the incident. Further information will be released as the investigation progresses, and notification letters will be issued if it is determined that patient data has been compromised. On May 22, 2023, the Royal ransomware group added Morris Hospital & Healthcare Centers to its data leak site along with a sample of files allegedly stolen in the attack.

Norton Healthcare Recovering from Cyberattack

Norton Healthcare, a Kentucky-based operator of more than 140 clinics and hospitals in the Louisville area of Kentucky and Southern Indiana, has confirmed that it suffered a cybersecurity incident on May 9, 2023. Norton confirmed that its network is operational and that systems were proactively taken offline as a precaution and confirmed that at no point did the attackers have control of its network.

With IT systems offline, the staff switched to manual processes for recording patient information but said all of its facilities remained open and were able to continue to provide care to patients, although there have been delays to some services due to IT systems being offline, including medical imaging, lab test results, and prescription refills, and that there was a backlog of messages from its online patient portal which are taking time to work through and has caused delays to responses.

The threat actor behind the attack issued threats and demands via fax, but it is unclear at this stage to what extent, if any, patient data has been stolen. Norton did not state whether ransomware was used in the attack. Notifications will be issued to patients if it is determined that their information has been exposed or compromised.

Tennessee Orthopaedic Clinics Confirms March 2023 Cyberattack

Tennessee Orthopaedic Clinics is investigating a security breach that has caused disruption to some of its IT systems. The third-party forensic investigation determined that an unauthorized individual gained access to some of its IT systems between March 20, 2023, and March 24, 2023, and may have accessed or acquired files that contained patient information.

By May 2, 2023, it had been confirmed that patient data had been compromised, including names, contact information, dates of birth, diagnosis and treatment information, provider names, dates of service, cost of services, prescription information, and/or health insurance information, but the extent to which patients have been affected has not yet been disclosed.

The incident has been reported to the HHS’ Office for Civil Rights as affecting 500 individuals – a common placeholder that is used until the full extent of a breach is known. Notification letters will be issued to affected individuals when the review of the affected files has been completed. Tennessee Orthopaedic Clinics said additional safeguards and technical security measures have been implemented to prevent similar security breaches in the future.

Paramount Health Care Affected by NationBenefits Data Breach

The Maumee, OH-based insurance company, Paramount Health Care, has confirmed that it was affected by the recently reported 3 million-record cyberattack that affected the healthcare management solution provider, NationBenefits, on or around January 30, 2023. Paramount said hackers accessed and removed a database that contained patient information that included names, addresses, phone numbers, health insurance information, and Social Security numbers.

The cyberattack was conducted by the Clop threat group and exploited a zero-day vulnerability in Fortra’s GoAnywhere MFT file transfer solution. Notification letters are being sent to patients by NationBenefits. It is currently unclear how many Paramount members have been affected by the incident.

The post IL, KY, and TN Healthcare Orgs Recovering from Recent Cyberattacks appeared first on HIPAA Journal.

Ohio Hospital Exposed Nurses and Other Staff to Workplace Violence

Posted by Steve Alder

The Occupational Safety and Health Administration (OSHA) has determined a children’s hospital in Columbus, Ohio failed to adequately protect healthcare employees from workplace violence. Patients attacked nurses and other healthcare professionals and their bites, kicks, punches, and other assaults resulted in staff members sustaining serious injuries.

An investigation was launched by OSHA in November 2022 following complaints from nurses and mental health staff at the Big Lots Behavioral Health Pavilion at Nationwide Children’s Hospital who had suffered serious injuries due to violent patient incidents, including lacerations, concussions, and sprains. Nationwide Children’s Hospital is the second-largest pediatric hospital in the United States and operates 68 facilities throughout Ohio and accepted over 1.5 million patient visits a year. The Big Lots Behavioral Health Pavilion provides acute behavioral healthcare services through intensive outpatient programs.

OSHA determined that employees at the facility were exposed to the hazard of workplace violence due to insufficient safety controls. Incidents included groping, biting, kicking, punching, head-butting, and scratching, which resulted in several employees suffering serious injuries during the admission process. The facility also failed to maintain proper records about injuries to its employees in the workplace.

OSHA issued a citation for one serious violation due to the failure to protect its workers from workplace violence and one other-than-serious violation related to records of incidents of workplace violence. Corrective actions have been recommended to improve safety in the workplace and $18,000 in penalties have been proposed. The Behavioral Health Pavilion at Nationwide Children’s Hospital has 15 days from the date the citations were issued to comply, request an informal conference with the OSHA Area Director, or contest the findings.

The suggested control measures to improve safety include the development and implementation of a written workplace violence prevention program specific to the conditions and hazards at the facility, specific written procedures for employees to take when encountering or responding to an incident of workplace violence, the development and implementation of standardized patient admission protocols to address patient on staff workplace violence, controls to prevent patients from using furniture as weapons, and to ensure there is adequate staffing to safely address changes in patient acuity and patient census.

“Behavioral healthcare workers can be exposed to risks when treating patients who suffer with conditions that can lead to violent outbursts,” said OSHA Area Director Larry Johnson in Columbus, Ohio. “Unfortunately, Nationwide Children’s Hospital failed to take the necessary precautions that could have prevented their employees from being injured.”

The post Ohio Hospital Exposed Nurses and Other Staff to Workplace Violence appeared first on HIPAA Journal.