[BreachExchange] St. Mark’s Ransomware Attack Could Affect 33K Patients

[Audrey McNeil]

https://healthitsecurity.com/news/st.-marks-ransomware-
attack-could-affect-33k-patients

St. Mark’s Surgery Center, LLC suffered a ransomware attack between April
13 and April 17, 2017 that impacted its server, according to an online
statement.

On May 8, 2017, a forensics team found evidence the attack potentially
affected the personal information of certain St. Mark’s patients. The data
may have included patient names, dates of birth, health information,
treatment information, and Social Security numbers.

The ransomware attack may have affected 33,877 patients, according to the
OCR data breach reporting tool.

St. Mark’s said it immediately began an investigation to determine the
extent of the damage. A third party forensics team determined there is no
evidence to suggest any patient PHI has been misused at this time.

St. Mark’s has issued notices to all potentially impacted patients
providing further information about the incident. Additionally, the
healthcare center is offering concerned patients one year of free identity
protection services.

“Since the ransomware attack, we have taken a variety of actions to prevent
similar situations from occurring in the future,” St. Mark’s said in its
statement. “These include installation of a more robust firewall, with
unified threat management services; installation of a backup and disaster
recovery system that includes active hourly imaging and offsite replication
to redundant data centers; and ensuring that all devices are fully updated,
and that they are protected by the latest antivirus software.”

22K potentially affected by phishing attack at health plan organization

On June 6, 2017, Elderplan Inc. discovered evidence that an unauthorized
individual had gained access to several employee email accounts following a
phishing attack.

Elderplan said in an online statement that it immediately disabled the
affected email accounts and blocked any further access to the initial
phishing email.

Additionally, the organization launched an investigation into the incident
with the help of a third-party forensic company. Elderplan stated “no
suspicious activity was indicated in the short window of time before the
affected email accounts were disabled, nor were any emails forwarded from
the accounts.”

Potentially accessed information may have included patient names, insurance
information, Medicare numbers, diagnoses, treatment dates, and treatment
facilities.

The incident may have involved the patient information of approximately
22,000 individuals, according to the OCR data breach reporting tool.

Elderplan stated it cannot determine whether any accounts were viewed or
accessed. However, there presently exists no evidence to suggest any
information has been misused.

Elderplan started to mail notices to potentially affected members and
established a call center to answer any questions regarding the phishing
attack.

Additionally, the organization is offering free identity protection
services to affected members for one year.

MJHS suffers phishing attack potentially affecting 6K patients

MJHS Home Care recently became aware of an instance of unauthorized
employee email access resulting from a phishing attack on June 8, 2017,
according to an online statement.

MJHS immediately disabled the affected email account and blocked any
further employee access to the phishing email.

The healthcare organization hired a third-party forensic firm to launch an
investigation into the incident and determined there was no evidence to
suggest any patient information had been misused in any way.

MJHS stated it cannot confirm with complete certainty that emails in the
account were not viewed or accessed before the account was disabled.

Potentially accessed information may have included patient names,
diagnoses, treatment dates, treatment facilities, and some insurance
information and Medicare numbers.

The information of over 6,000 patients may have been involved in the
breach, according to the OCR data breach reporting tool.

MJHS is presently emailing letters to impacted patients relaying the
details of the incident. Additionally, the healthcare organization has set
up a call center to answer any questions patients may have.

MJHS is also providing one year of free credit monitoring services to those
patients whose Medicare numbers were included in the affected emails.

“To help prevent something like this from happening in the future, MJHS
Home Care is implementing additional security measures for the access of
email and use of mobile devices,” MJHS said in its statement. “We are also
conducting refresher training for all MJHS Home Care employees on security
procedures.”

MJHS suffered a similar phishing attack in 2016. In that case, 2,483
individuals may have been affected, according to the OCR data breach
reporting tool.

Salinas family healthcare center suffers ransomware attack

On June 18, 2017, a ransomware attack encrypted some Salinas Family
Healthcare Center (SFHC) computer workstations and network servers,
according to an online statement.

In response to the incident, the healthcare center worked to secure the
affected systems and investigated the incident. SFHC said it immediately
restored its computers and servers using recent backup.

Additionally, SFHC enlisted the services of independent computer forensics
experts to investigate how the incident occurred and determine the extent
of the damage.

Experts did not find any evidence indicating patient information had been
accessed. However, investigators stated they cannot rule out the
possibility information had been accessed.

Potentially viewed information may have included patient names, addresses,
Social Security numbers, dates of birth, health insurance information, and
medical treatment information.

No financial information was involved in the incident, according to SFHC
officials.

The healthcare center issued letters to potentially impacted individuals
including information regarding steps they can take to avoid further
damage. SFHC established a call center to answer any questions from
concerned patients and has offered complimentary credit monitoring and
identity theft protection services to affected patients.

SFHC did not say in the statement how many individuals were potentially
affected by the incident.

Institute for Women’s Health discovers keylogger virus

The Institute for Women’s Health (IFWH) said in an online statement it
recently discovered a keylogger virus on its computer network that was
installed on June 5, 2017.

IFWH officials learned of the virus one month after it was installed, and
removed it from the majority of all network computers and terminal servers
by July 11, 2017.

Following the incident, IFWH issued notices to all patients potentially
impacted.

The healthcare institute stated credit card or debit card information may
have been affected for patients who paid for IFWH services with a credit or
debit card between June 5, 2017 and July 11, 2017.

Other information potentially affected included patient names, addresses,
dates of birth, Social Security numbers, scheduling notes, current
procedural technology and billing codes, and any other information
potentially keyed or typed into the IFWH system during the period the virus
was active.

IFWH officials stated any patient information not keyed into the system and
any patient portal information were not accessed at any time.

IFWH is offering potentially impacted patients free credit monitoring
services, a $1 million insurance reimbursement policy, and educational
materials regarding identity protection.

IFWH said it has implemented additional safeguards to improve the data
security of its web server infrastructure and reduce the likelihood of
similar incidents in the future.

The healthcare institute has also set up a call center to assist patients
with any questions they may have regarding the virus.

IFWH did not state how many patients may have been impacted by the breach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170825/68ea74e5/attachment.html>