Stockdale Radiology and Affordacare Urgent Care Clinics Targeted in Ransomware Attacks

Stockdale Radiology in California has revealed that patient privated data has been compromised due to a ransomware attack that took place on January 17, 2020.An internal review confirmed that the hackers gained access to patients’ first and last names, addresses, refund logs, and personal health data, including doctor’s notes. Stockdale Radiology said a restricted number of patient files were publicly exposed by the hackers.  Stockdale Radiology also noticed on January 29, 2020, that further patient information may have been accessed, but has not been publicly shared.

Systems were quickly disabled shut down to prevent any further unauthorized data access and a third-party computer forensics firm was hired to investigate the breach and determine how access was obtained and who was affected. The FBI was immediately alerted about the attack and arrived at Stockdale Radiology within 30 minutes. The FBI investigation into the breach remains current.

Reacting to the attack, Stockdale Radiology has completed a review of internal data management and its security protocols and has taken steps to improve cybersecurity to prevent additional attacks in the future.

According to the breach report on the HHS’ Office for Civil Rights website, 10,700 patients were impacted by the breach.

Affordacare Urgent Care Clinics Hit by Ransomware Attack

Abilene, TX-based Affordacare Urgent Care Clinics has begun alerting patients that some of their protected health information may have been compromised due to a ransomware attack. The attack was first noticed on February 4, 2020 and is believed to have begun on or around February 1, 2020.

A review of the breach showed that the attackers gained access to its servers and deployed Maze ransomware. Prior to deploying the ransomware, the attackers obtained patient information. Some of that data has been publicly shared.

The range of data on the compromised servers included names, addresses, telephone numbers, ages, dates of birth, visit dates, visit locations, reasons for appointments, health insurance provider names, health insurance policy numbers, insurance group numbers, treatment codes and descriptions, and healthcare provider remarks.  No financial information, electronic health records, or Social Security numbers were impacted.

57,411 individuals have been impacted by the breach. Those individuals have been provided wirhh complimentary credit monitoring, identity theft protection, and identity recovery services.

Georgia Department of Human Services Encounters Improper Disposal Incident

The Georgia Department of Human Services has revealed that staff in Augusta, GA improperly disposed of boxes of confidential case files including the records of individuals who received services from the Division of Family & Children Services (DFCS) before June 12, 2017 and individuals who received were treated by the Division of Aging Services (DAS) before 2017.

After being made aware of the incident, swift action was taken to recover the boxes to stop them from being accessed by unauthorized people. The Georgia Department of Human Services does not believe the files were accessed by unauthorized actors during the time the files were left unprotected. All impacted patients are being notified about the breach and policies and procedures are being reviewed to stop similar incidents in the future.

According to the breach summary published on the HHS’ Office for Civil Rights breach portal, the files included the records of up to 500 individuals.

FInally, NeoGenomics is contacting 911 patients to let them know that some of their PHI has been accidentally disclosed to an unauthorized person.

On January 28, an employee was communicating with a patient about completing and returning a form to NeoGenomics and accidentally linked and sent the wrong Excel spreadsheet. The spreadsheet sent to the patient included data of patients who had laboratory tests carried our between January 2018 and October 2019.

The spreadsheet included patients’ first and last names, dates of birth, and the name of the tests completed by NeoGenomics. The results of the tests were not included in the spreadsheet and no other information was impermissibly shared. The mistake was reported to NeoGenomics by the patient, who confirmed in writing that the spreadsheet has been removed.