Squirrel Hill Health Center & La Clinica de la Raza Infiltrated by Malware Attacks

On January 28, 2021 malware was discovered on databases holding private patient at the data La Clinica de la Raza in Oakland, CA. The clinic is now getting in touch with a range of patients to inform them that their protected health information may have been breached.

An external forensics group was hired to conduct an investigation into the malware attack.  On February 26, 2021 the group uncovered evidence of the malware allowing files including patient data to be accessed. The duration of the breach was short as it was only live for one day January 12, 2021. However, during the short period of time that the malware was live it is thought that the files may have been infiltrated by unauthorized individuals, but it is also thought there that involved very few documents including full names, dates of birth, phone numbers, home addresses, health insurance information, and certain health data including appointment details, diagnosis, test results, and treatment information related to medical services administered at the health center.

Measures have been implemented to enhance data security, including bolstering its intrusion detection and prevention system, securing login details, conducting additional staff training, and configuring other security solutions. The breach report filled to the HHS’ Office for Civil Rights shows 31132 individuals were impacted.

Meanwhile Squirrel Hill Health Center in Pittsburg, PA has become aware that malware was placed on its databases which allowed hackers with access to files that holds patients’ protected health information. An investigation found that a security breach took place on February 4, 2021.  An external computer forensic firm was contracted to review the breach and determined unauthorized individuals obtained access to its databases on January 28, 2021 and access was still open until February 4, 2021. While it is typical for attacks like this to steal personal data the clinic found no proof that personal information was subjected to actual or attempted improper use.

A review of the files that were potentially accessed revealed they contained names, addresses, dates of birth, diagnostic codes, limited appointment scheduling details, and, for a subset of individuals, Social Security numbers. The breach has affected 23,869 individuals. The groups security measures for the storage of and access to patient information is being subjected to a complete review and enhances measures are expected to be implemented soon.

Finally, the California Department of State Hospitals announced that in March 2021 a member of staff in their IT department accessed the data of 1,415 current and former patients and 617 employees without adequate authorization over the previous 10 months. This incident was first identified on February 25, 2021 as part of a routine audit of staff access to data storage.

Following an investigation into the insider breach it was found that the breach was worse than earlier believed. The data of 1,735 previous and current Atascadero State Hospital staff members and 1,217 DSH job applicants who never worked there. While the sensitive data was viewed there is no evidence to suggest indication that any data was improperly accessed.