25,148 Patients Impacted in Ransomware Attack on the Southeastern Council on Alcoholism and Drug Dependence

by Ryan Coyne | May 16, 2019

25,148 Patients Impactes in Ransomware Attack on the Southeastern Council on Alcoholism and Drug Dependence

A ransomware attack has resulted in widespread file encryption at the Southeastern Council on Alcoholism and Drug Dependence (SCADD) in Lebanon, CT.

The attack was discovered on February 18, 2019 when problems started to be noticed with its network. The investigation confirmed ransomware had been downloaded on its systems, some of which included the protected health information (PHI) of patients.

While no proof was found that indicated the hackers accessed files containing PHI, third-party forensic investigators were unable to eliminate patient data access. Due to this, the incident was reported to the HHS’ Office for Civil Rights as a potential data breach and notification letters have been sent to impacted patients. So far, no reports have been received which suggest any patient information has been improperly used.

Patients have been advised that their name, address, medical history, treatment information, and Social Security number has potentially been impacted. All impacted individuals have been offered complimentary credit monitoring and identity theft protection services.

The breach summary on the OCR website states that up to 25,148 patients have been affected by the incident.

Elsewhere, Amherst, MA-based health plan, Independent Health, has revealed that an employee emailed documents containing the PHI of 7,600 members to an individual who was not authorized to view the data.

The dat was sent, in error, to an Independent Health member on March 19, 2019. That person contacted Independent Health within an hour of the email being received to report the privacy breach and confirm that the message and documents had been erased.

The documents included plan member information such as ID numbers, providers seen, dates of service, claim numbers, claim payment information, and medical process codes. While no Social Security numbers or financial data was exposed and the risk of identity theft or fraud is thought to be low, all affected individuals have been offered 12 months of free identity theft protection and credit monitoring services. The staff member in question has been subjected to disciplinary procedures in tandem with the company policy.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter