Ransomware attack on Georgia health system
St. Joseph’s/Candler discovered ransomware earlier in the summer, which has now compromised the records for 1.4 million patients.
This month, the Savannah-based health system published a notice regarding the incident. It stated that it took its network offline for several days.
According to the organization’s website, “SJ/C’s investigation revealed that an unauthorized party gained access to SJ/C’s IT network between December 18, 2020, and June 17, 2021.”
The notice stated that “While in our IT network the unauthorized party launched a ransomware attack that made our files inaccessible,”
According to a U.S. Department of Health and Human Services’ Office of Civil Rights breach report, the hack affected the records of 1.4 million people.
This information could have included patient names, in combination with:
- Date of birth
- Social Security Number
- Number of driver’s license
- Patient account number
- Number of the billing account
- Financial information
- Health insurance plan member ID
- Number of medical records
- Dates of service
- Names of providers
- Information regarding medical and clinical treatment received from SJ/C
The statement stated that “To prevent such an incident from happening again,” and added that additional safeguards and technical security precautions will be continued to be adopted to protect our systems.
EHR spying affects 10K patients
Long Island Jewish Forest Hills Hospital in Queens, New York has informed patients who may have been affected by unauthorized EHR access by a former employee.
OCR has filed a breach report stating that the incident impacted 10,333 patients.
According to the hospital, in January 2020, a subpoena was issued for documents related to an investigation into a motor vehicle accident insurance plan that was “no-fault”.
LIJFH received it and realized that the former employee mentioned in the subpoena had incorrectly accessed EHRs.
According to the hospital, there is no evidence that the information that the former employee accessed was improperly used or related to the insurance scheme being investigated.
The organization will still notify all patients whose medical records were accessed between August 23, 2016, and October 31, 2017, however.
Officials stated that they had confirmed that the employee was no more employed by LIJFH and taken steps to prevent such an incident from happening in the future. This included employee training and additional security tools.
According to LIJFH, “Finally the Compliance Department conducts audits on medical record access to minimize any future incidents.”