Summary of Cyberattacks: Ransomware Hits Georgia Hospitals and Colorado Pathology Services

From small community hospitals like Memorial Hospital and Manor in Bainbridge, Georgia, to the largest providers, ransomware, corporate email compromises and other cyber threats are disrupting daily care across the United States.

“America now averages two healthcare system data breaches per day,” said Greg Garcia, executive director of the Health Sector Coordinating Council Cybersecurity Working Group, in his opening remarks at the HIMSS Healthcare Cybersecurity Forum in Washington, DC, last week.

Cyber ​​threat actors often exploit fundamental vulnerabilities and target people who work for hospitals and healthcare systems. Case in point: Major health care system Kaiser Permanente said Sunday it has sent a notice to affected individuals in Southern California whose personal health information was compromised when an unauthorized party gained access to the email accounts of two employees.

But they can also be clever with their exploits, using phishing attacks backed by advanced social engineering. Earlier this month, a cyber exploit resulted in the exfiltration of patient data on 1.8 million individuals from Colorado-based independent pathology services provider Summit Pathology.

Georgia hospital loses access to EHR

Memorial Hospital and Manor, a community hospital in Decatur County Georgia, told its followers on Facebook on Sunday that a ransomware attack has impacted its electronic health records and patients may experience delays in care.

The attack was discovered this weekend after team members noticed warnings about virus protection, the hospital said in the newspaper after.

“Please be patient as you may experience longer wait times if you come to the hospital or doctor’s office as we are working on a paper-based process,” Memorial Hospital and Manor said.

No information about the attack is currently available on the hospital’s website, although the hospital said it is evaluating what to do to restore access to its patient records, a hospital spokesperson said. report by local WALB News.

Healthcare IT news have contacted the hospital for a statement, and if one becomes available we will update this story.

Kaiser reports patient data breach

On Friday, the health care system posted a notice to its Southern California members about a health information privacy issue discovered on September 3. ​​The unauthorized party gained access to the email accounts of two staff members, according to the notification posted on its website.

“Upon learning of the incident, we terminated the unauthorized access and immediately initiated an investigation to determine the extent of the access,” Kaiser Permanente said.

“After validating the contents of the email, we determined that it was protected health information of some patients.”

Although the health care system said Social Security numbers and financial information were not involved, protected health information, including first and last names, dates of birth, medical record numbers and medical information, was “potentially accessed and/or viewed.”

While health care system operations continued, affected individuals were contacted directly, Kaiser Permanente said.

Attack on laboratory services affects patients

On October 18, Loveland, Colorado-based Summit Pathology reported to the U.S. Health and Human Services that the data of 1,813,538 people had been compromised in a hacking incident.

“The affected systems contain demographic and healthcare information, including names, addresses, medical billing and insurance information, certain medical information such as diagnoses, and demographic information such as dates of birth, Social Security numbers and financial information,” the pathology services company said. in one notification on its website.

On or around April 18, Summit said it identified suspicious activity on its network and took immediate steps to secure it, launching an investigation with the assistance of outside forensic specialists. They were able to identify which files “may have been accessed or obtained by the unauthorized cybercriminal.”

Summit also said that after a review of its policies and procedures, it has added new “administrative and technical safeguards to help prevent future attacks.”

The Oklahoma City-based Murphy Law Firm said in an Oct. 31 release statement that it will file a class action lawsuit and investigate claims related to the incident.

Summit’s forensic investigation “determined that cybercriminals infiltrated the inadequately secured computer environment and thereby gained access to the data files,” the law firm said.

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.