Cyber ​​Brief: OneBlood Recovers from Ransomware, Change Starts Sending Breach Notifications

This week brings some positives for hospitals and health systems in the southeastern United States that rely on blood supplies, with critical network systems back online after the August 1 ransomware attack took down supplier OneBlood. Additionally, the high-profile 2019 breach of a Supreme Court justice’s protected health information by an alleged insider has been heard in federal court and resulted in a conviction.

In other news, the U.S. Health and Human Services received a breach notification from Change Healthcare detailing the minimum number of people affected — 500 — after ransomware caused a major nationwide outage in claims payments, disrupting care and exposing the PHI of potentially millions of patients.

OneBlood’s critical software online

The Orlando-based blood supplier said its network has been partially restored after a ransomware attack and encouraged blood donations as Tropical Storm Debby threatened the region, a report by CBS News Miami on Monday.

“The priority was to get the software system used to manage the blood supply back online and the team that worked around the clock made that happen,” Susan Forbes, senior vice president of corporate communications and public relations at OneBlood, said in an update Tuesday.

“At the moment, the processing and distribution of blood products to hospitals is almost normal,” she said.

OneBlood, which distributed blood to more than 250 hospitals in the southeastern United States, became the third target of ransomware attacks on blood suppliers in recent months, prompting the American Hospital Association to warn U.S. hospitals to make contingency plans for blood deliveries.

“The blood supply cannot be taken for granted,” Forbes said in the ransomware event update.

“Any one of us can get a blood transfusion at a moment’s notice.”

The company said in its FAQs that it does not yet have information about whether donors’ personal data was compromised in the July 29 attack.

Change reports to HHS

Nearly five months after a ransomware attack shut down Change Healthcare, parent company United Health Group reported the data breach to the HHS Office for Civil Rights.

UHG reported that 500 people were affected. However, the required data breach report comes after the Health Payments Clearinghouse notice of infringement directly to affected patients on July 31.

The scale of the breach is thought to have affected millions of patients. In June, OCR said Change had the responsibility to inform affected patients about the stolen information.

That month, the company sent messages to customers whose member or patient data was involved in the attack.

While the agency had previously launched an investigation into the breach, it recently said that data analysis to understand the scope of the breach is still ongoing.

“Change Healthcare’s breach report to OCR identifies 500 individuals as the estimated number of individuals impacted,” the agency said of the Change Healthcare cybersecurity incident. FAQ page.

“Change Healthcare is still in the process of determining the number of individuals impacted,” the agency said, noting that information on the HHS Breach Portal would be updated as Change Healthcare updates the total number of individuals impacted.

On May 1, UnitedHeath Group CEO Andrew Witty told Congress why he decided to pay a $22 million ransom in Bitcoin, adding that the company did not have access to the exfiltrated data until mid-March.

“We are working tirelessly to uncover and understand every detail we can, which we can use to make our cyber defenses stronger than ever,” he told lawmakers.

Justice for Ginsburg’s data breach

Last week, a federal court convicted Trent James Russell of Arlington, Virginia, a former Army physician who worked as an organ transplant coordinator, of accessing and disclosing the medical information of U.S. Supreme Court Justice Ruth Bader Ginsburg in July 2019.

Russell was accused of posting a screenshot of her cancer care information, including dates of radiation treatments.

The screenshot first appeared on the message board 4chan in a discussion suggesting that Justice Ginsburg, who died on September 18, 2020, had died the previous year in a conspiracy to prevent then-President Donald Trump from selecting a new justice.

The image then began circulating on the Internet.

Russell pleaded not guilty, saying he never had access to her medical records at George Washington University Hospital in Washington, D.C., where she underwent radiation and other cancer treatments, WRAL news according to the report.

He testified that he and his colleagues shared passwords to bypass technical requirements that slowed the donation process, the storyHowever, prosecutors said he tried to destroy evidence after his remote access was disabled and he was transferred to Nebraska.

Russell faces a maximum prison sentence of 20 years when he is sentenced on November 7.

Andrea Fox is Editor-in-Chief of Healthcare IT News.
Email address: afox@himss.org
Healthcare IT News is a publication of HIMSS Media.

The HIMSS Healthcare Cybersecurity Forum is scheduled for October 31-November 1 in Washington, DC More information and registration.