Capital Region Medical Center (CRMC) in Jefferson City, MO has recently confirmed patient information was accessed by unauthorized individuals in a December 2021 cyberattack that took its network and phone systems offline for several days.
The attack was detected on December 17, 2021, when network systems were disrupted. An investigation was launched to determine the nature and scope of the breach, and a public announcement about the security incident was issued on December 23, 2021. It was initially unclear if patient information had been compromised but that has now been confirmed.
CRMC said at this stage of the investigation it does not appear that the attackers gained access to its electronic medical record database; however, the files accessed or potentially accessed by the attackers included information such as patient names, addresses, birth dates, medical information, and health insurance information. A subset of patients also had their Social Security numbers, driver’s license numbers, and/or financial account information exposed. That subset of patients has been offered a complimentary 12-month membership to credit monitoring services. CRMC said it has found no evidence to date to indicate any patient information has been misused.
CRMC said it will continue to evaluate its security practices and will look for opportunities to implement additional cybersecurity measures to bolster security and prevent similar cyberattacks in the future.
The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
Labette Health Notifies Patients About October 2021 Cyberattack
Labette Health in Kansas has recently announced its IT systems were accessed by unauthorized individuals between October 15, 2021, and October 24, 2021.
Labette Health said that it took immediate steps to secure its network and limit the potential for additional harm. Third-party cybersecurity professionals were engaged to investigate the security breach and determine the nature and scope of the cyberattack. The investigation concluded on February 11, 2022, that certain files and folders on its network that contained patients’ protected health information had been accessed by unauthorized individuals, who may have exfiltrated some of those files.
The files contained employee and patient names and one or more of the following types of information: Social Security number, medical treatment and diagnosis information, treatment costs, dates of service, prescription information, Medicare or Medicaid number, and health insurance information.
It has been four months since the breach occurred, and to date, Labette Health has not found any evidence of misuse of patient or employee information. Labette Health said on March 11, 2022, written notifications were sent to affected individuals out of an abundance of caution. Individuals whose Social Security numbers were exposed have been offered complimentary credit monitoring services.
Labette Health said it followed the recommendations of cybersecurity experts and has strengthened network security, implemented more robust password security policies and multi-factor authentication for network access, and has upgraded endpoint detection software and provided additional network security and threat detection training to the workforce.
The data breach has not yet appeared on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.
The post Capital Region Medical Center and Labette Health Announce Potential PHI Breaches appeared first on HIPAA Journal.