Stockdale Radiology and Affordacare Urgent Care Clinics Targeted in Ransomware Attacks

by | Apr 24, 2020

Stockdale Radiology in California has revealed that patient privated data has been compromised due to a ransomware attack that took place on January 17, 2020.An internal review confirmed that the hackers gained access to patients’ first and last names, addresses, refund logs, and personal health data, including doctor’s notes. Stockdale Radiology said a restricted number of patient files were publicly exposed by the hackers.  Stockdale Radiology also noticed on January 29, 2020, that further patient information may have been accessed, but has not been publicly shared.

Systems were quickly disabled shut down to prevent any further unauthorized data access and a third-party computer forensics firm was hired to investigate the breach and determine how access was obtained and who was affected. The FBI was immediately alerted about the attack and arrived at Stockdale Radiology within 30 minutes. The FBI investigation into the breach remains current.

Reacting to the attack, Stockdale Radiology has completed a review of internal data management and its security protocols and has taken steps to improve cybersecurity to prevent additional attacks in the future.

According to the breach report on the HHS’ Office for Civil Rights website, 10,700 patients were impacted by the breach.

Affordacare Urgent Care Clinics Hit by Ransomware Attack

Abilene, TX-based Affordacare Urgent Care Clinics has begun alerting patients that some of their protected health information may have been compromised due to a ransomware attack. The attack was first noticed on February 4, 2020 and is believed to have begun on or around February 1, 2020.

A review of the breach showed that the attackers gained access to its servers and deployed Maze ransomware. Prior to deploying the ransomware, the attackers obtained patient information. Some of that data has been publicly shared.

The range of data on the compromised servers included names, addresses, telephone numbers, ages, dates of birth, visit dates, visit locations, reasons for appointments, health insurance provider names, health insurance policy numbers, insurance group numbers, treatment codes and descriptions, and healthcare provider remarks.  No financial information, electronic health records, or Social Security numbers were impacted.

57,411 individuals have been impacted by the breach. Those individuals have been provided wirhh complimentary credit monitoring, identity theft protection, and identity recovery services.

Georgia Department of Human Services Encounters Improper Disposal Incident

The Georgia Department of Human Services has revealed that staff in Augusta, GA improperly disposed of boxes of confidential case files including the records of individuals who received services from the Division of Family & Children Services (DFCS) before June 12, 2017 and individuals who received were treated by the Division of Aging Services (DAS) before 2017.

After being made aware of the incident, swift action was taken to recover the boxes to stop them from being accessed by unauthorized people. The Georgia Department of Human Services does not believe the files were accessed by unauthorized actors during the time the files were left unprotected. All impacted patients are being notified about the breach and policies and procedures are being reviewed to stop similar incidents in the future.

According to the breach summary published on the HHS’ Office for Civil Rights breach portal, the files included the records of up to 500 individuals.

FInally, NeoGenomics is contacting 911 patients to let them know that some of their PHI has been accidentally disclosed to an unauthorized person.

On January 28, an employee was communicating with a patient about completing and returning a form to NeoGenomics and accidentally linked and sent the wrong Excel spreadsheet. The spreadsheet sent to the patient included data of patients who had laboratory tests carried our between January 2018 and October 2019.

The spreadsheet included patients’ first and last names, dates of birth, and the name of the tests completed by NeoGenomics. The results of the tests were not included in the spreadsheet and no other information was impermissibly shared. The mistake was reported to NeoGenomics by the patient, who confirmed in writing that the spreadsheet has been removed.


Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy