25,148 Patients Impacted in Ransomware Attack on the Southeastern Council on Alcoholism and Drug Dependence

by | May 16, 2019

A ransomware attack has resulted in widespread file encryption at the Southeastern Council on Alcoholism and Drug Dependence (SCADD) in Lebanon, CT.

The attack was discovered on February 18, 2019 when problems started to be noticed with its network. The investigation confirmed ransomware had been downloaded on its systems, some of which included the protected health information (PHI) of patients.

While no proof was found that indicated the hackers accessed files containing PHI, third-party forensic investigators were unable to eliminate patient data access. Due to this, the incident was reported to the HHS’ Office for Civil Rights as a potential data breach and notification letters have been sent to impacted patients. So far, no reports have been received which suggest any patient information has been improperly used.

Patients have been advised that their name, address, medical history, treatment information, and Social Security number has potentially been impacted. All impacted individuals have been offered complimentary credit monitoring and identity theft protection services.

The breach summary on the OCR website states that up to 25,148 patients have been affected by the incident.

Elsewhere, Amherst, MA-based health plan, Independent Health, has revealed that an employee emailed documents containing the PHI of 7,600 members to an individual who was not authorized to view the data.

The dat was sent, in error, to an Independent Health member on March 19, 2019. That person contacted Independent Health within an hour of the email being received to report the privacy breach and confirm that the message and documents had been erased.

The documents included plan member information such as ID numbers, providers seen, dates of service, claim numbers, claim payment information, and medical process codes. While no Social Security numbers or financial data was exposed and the risk of identity theft or fraud is thought to be low, all affected individuals have been offered 12 months of free identity theft protection and credit monitoring services. The staff member in question has been subjected to disciplinary procedures in tandem with the company policy.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy