Salida, CO-based First Street Family Health has suffered a destructive cyberattack, in which files containing patient information were exfiltrated and then deleted from its systems. This method of attack is becoming more common, where data is stolen, deleted, and then threats are issued to publish or sell the data if payment is not made to the attackers, but files are not encrypted using ransomware.
First Street Family Health said the attack was detected on July 16, 2022, with the investigation confirming that the attackers first gained access to its systems on July 5, 2022. The unauthorized access was blocked on July 16. The attackers deleted electronic medical records from June 28, 2021, to July 15, 2022, and while backups of those records had been made, the backups were also deleted so the information in those records has been lost. No evidence was found to indicate those records were stolen. Medical referral forms stored on the affected computer systems may have been viewed or acquired, but those records were successfully restored from backups.
The breached records included full names, addresses, birth dates, phone numbers, email addresses, Social Security numbers, dates of service, nature of services, diagnoses, conditions, lab results, medications, health insurance identification cards and numbers, and billing information.
Notification letters were sent to affected individuals on August 26, 2022, and complimentary memberships to CyberScout’s credit monitoring service have been offered. First Street Family Health said a national cybersecurity firm assisted with the investigation and conducted a security review, and additional security measures are being implemented based on the firm’s recommendations.
The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
Northeast Rehabilitation Hospital Network Notifies Patients About 2021 Cyberattack
Salem, NH-based Northeast Rehabilitation Hospital Network (NRHN) has started notifying patients that unauthorized individuals gained access to its computer systems and may have viewed or obtained sensitive data. The data breach was detected on September 30, 2021, when suspicious activity was detected within its network. The subsequent investigation confirmed its systems were compromised between September 30, 2021, and October 5, 2021.
NRHN said the delay in issuing notifications to affected individuals was due to the time-consuming process of reviewing all affected files on its systems, and that process was not completed until August 3, 2022. Notification letters are now being sent and individuals will be informed in those letters about the types of information that were involved. NRHN said it is unaware of any attempted or actual misuse of patient data. Credit monitoring and Identity theft protection services have been offered to affected individuals.
This post will be updated when the number of affected individuals is known.
The post Cyberattack and Data Destruction Reported by First Street Family Health appeared first on HIPAA Journal.