Chelan Douglas Health District in East Wenatchee, WA, has announced it was the victim of a cyberattack in July 2021 in which the personal and protected health information of patients was exfiltrated from its systems. The breach notice uploaded to Chelan Douglas Health District website does not disclose when the breach was detected but says a third-party cybersecurity company was engaged to investigate the cyberattack and confirmed that its network was accessed by unauthorized individuals between July 2 and July 4, 2021. A representative for the health district said this was not a ransomware attack.
The review of the files that were removed from its systems was completed on February 12, 2022, and confirmed the following types of patient data had been stolen: Names, Social Security numbers, dates of birth/death, financial account information, treatment information, diagnosis information, medical record/ patient numbers, and health insurance policy information.
Notification letters started to be sent to affected individuals on March 15, 2022. Individuals who had their Social Security numbers stolen have been offered complimentary credit monitoring services. Chelan Douglas Health District said it is unaware of any cases of identity fraud or other misuse of patient data. Steps have since been taken to improve the security of its systems to prevent further data breaches in the future.
The incident has not yet appeared on the HHS’ Office for Civil Rights website, so it is currently unclear exactly how many individuals have been affected. There have been some reports in the media that suggest the PHI of approximately 109,000 individuals was stolen in the attack.
BEC Attack Reported by Liberty of Oklahoma Corporation
Oklahoma’s Department of Human Services and Liberty of Oklahoma Corporation (LOC) have announced that patient information was potentially accessed in a business email compromise attack in early December 2021.
On December 7, 2022, an employee in the Oklahoma Waitlist program received an email from a spoofed email account that attempted to redirect payments that were owed to LOC. The scam was detected and no fraudulent payments were made, but while investigating the incident they determined the email account of a LOC employee had been compromised.
The email account was immediately disabled, and a review was conducted to determine the types of information that may have been accessed or stolen. The review confirmed names, addresses, dates of birth, phone numbers, Social Security numbers, Oklahoma client Numbers, and the contact information of representing persons had been exposed.
LOC reported the breach to the HHS’ Office for Civil Rights as affecting 5,746 individuals.
East Tennessee Children’s Hospital Investigating Security Breach
East Tennessee Children’s Hospital is currently investigating a security breach that occurred on March 13, 2022, and caused disruption to its IT systems. A spokesperson for the hospital said the incident has not affected the ability of the hospital to provide care to patients and its internal teams and external agencies are working to minimize the disruption caused by the incident.
A forensic investigation has been initiated to determine the nature and scope of the security incident, but at this stage of the investigation, it is not known whether any patient information has been accessed or stolen.
The post Patient Data Stolen in July 2021 Cyberattack on Chelan Douglas Health District appeared first on HIPAA Journal.