25,148 Patients Impacted in Ransomware Attack on the Southeastern Council on Alcoholism and Drug Dependence

A ransomware attack has resulted in widespread file encryption at the Southeastern Council on Alcoholism and Drug Dependence (SCADD) in Lebanon, CT.

The attack was discovered on February 18, 2019 when problems started to be noticed with its network. The investigation confirmed ransomware had been downloaded on its systems, some of which included the protected health information (PHI) of patients.

While no proof was found that indicated the hackers accessed files containing PHI, third-party forensic investigators were unable to eliminate patient data access. Due to this, the incident was reported to the HHS’ Office for Civil Rights as a potential data breach and notification letters have been sent to impacted patients. So far, no reports have been received which suggest any patient information has been improperly used.

Patients have been advised that their name, address, medical history, treatment information, and Social Security number has potentially been impacted. All impacted individuals have been offered complimentary credit monitoring and identity theft protection services.

The breach summary on the OCR website states that up to 25,148 patients have been affected by the incident.

Elsewhere, Amherst, MA-based health plan, Independent Health, has revealed that an employee emailed documents containing the PHI of 7,600 members to an individual who was not authorized to view the data.

The dat was sent, in error, to an Independent Health member on March 19, 2019. That person contacted Independent Health within an hour of the email being received to report the privacy breach and confirm that the message and documents had been erased.

The documents included plan member information such as ID numbers, providers seen, dates of service, claim numbers, claim payment information, and medical process codes. While no Social Security numbers or financial data was exposed and the risk of identity theft or fraud is thought to be low, all affected individuals have been offered 12 months of free identity theft protection and credit monitoring services. The staff member in question has been subjected to disciplinary procedures in tandem with the company policy.