California and North Dakota Hospitals Report Cyberattacks
Cyberattacks have been reported by Pembina County Memorial Hospital, Pomona Valley Hospital Medical Center, and Rancho Family Medical Group. The Massachusetts Department of Developmental Services has discovered documents containing PHI have been left unsecured for a decade.
Pembina County Memorial Hospital
Pembina County Memorial Hospital in Cavalier, ND, has recently confirmed that unauthorized individuals gained access to its network and exfiltrated sensitive patient data. Suspicious activity was detected within its network on April 13, 2023, and after securing its systems, a forensic investigation was launched to determine the nature and scope of the unauthorized activity. The investigation confirmed that there had been unauthorized access to its network between March 7, 2023, and April 13, 2023, and files had been exfiltrated from the network.
The forensic investigation and document review took almost a year, with the hospital stating in its breach notice that those processes were not completed until March 4, 2024. The types of information involved varied from individual to individual and may have included first and last names in combination with one or more of the following: address, phone number, email address, date of birth, driver’s license number, government identification number, vehicle identification number, passport number, Social Security number, patient ID account number, medical information, health information and/or health insurance information.
Pembina County Memorial Hospital said it has implemented additional cybersecurity safeguards, enhanced its cybersecurity training, and revised and updated its policies, procedures, and protocols. Complimentary identity monitoring and protection services have been offered to individuals whose Social Security numbers were involved. The breach has been reported to the Maine Attorney General as affecting 23,451 individuals, and the breach report to the HHS’ Office for Civil Rights indicates it involved the protected health information of 23,811 individuals.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Pomona Valley Hospital Medical Center
Pomona Valley Hospital Medical Center in California is notifying 13,345 individuals about a data breach at a subcontractor of one of its business associates. The hospital used a vendor to run its patient-management tool, and the vendor subcontracted out the storage of the underlying data to another company. In November 2023, the vendor was unable to access the patient management tool and worked with its subcontractor to address the problem. The access problems were due to a ransomware attack.
The attacker was discovered to have accessed patient data, including names, medical record numbers, dates of birth, and clinical information such as allergies, diagnoses, medications, and doctors’ notes. The hospital clarified the data that was involved, verified contact information, and notification letters have now been sent to the affected individuals. The hospital has confirmed that it no longer uses the vendor or subcontractor in connection with patient data.
Rancho Family Medical Group
Rancho Family Medical Group, Inc., a 10-location Californian health system, has confirmed that it has been affected by a data breach at its business associate, KMJ Health Solutions, a provider of online signout and charge capture systems.
Rancho Family Medical Group was notified on January 11, 2024, that there had been unauthorized access to the KMJ Health Solutions network on November 19, 2023. The compromised parts of the network contained the protected health information of 10,480 individuals, including names, dates of birth, hospital medical record numbers, hospital treatment locations, dates of service, and procedure medical codes. Rancho Family Medical Group mailed individuals notifications to the affected individuals on March 11, 2024, along with information about the steps that the affected individuals can take to protect themselves against misuse of their data.
Massachusetts Department of Developmental Services
The Massachusetts Department of Developmental Services (DDS), a state agency that provides support to individuals with intellectual and developmental disabilities across the state, has discovered physical records have been exposed and may have been accessed by unauthorized individuals.
Personal documents containing protected health information were inadvertently left in buildings that were part of the former Walter E. Fernald Developmental Center campus in Waltham, MA, which was sold to the city of Waltham in 2014. The records included the PHI of individuals served by the DSS at the Fernald Developmental Center, as well as some staff records. DDS received a complaint about the documents on January 11, 2024, and visited the facilities to recover the documents the following day.
The documents had been improperly stored in the buildings since 2014 and many had degraded, so it was not possible to tell the exact types of information that had been exposed. Some documents contained names, dates of birth, diagnoses, medical information, medication/prescription information, and other treatment information. Financial account information or Social Security numbers have not been found, but DDS said it could not confirm whether those data types had been exposed due to the state of the documents. Similarly, it may not be possible to determine exactly how many people have been affected. An interim figure of 500 individuals was used when reporting the breach. DDS is now awaiting recommendations from the State Archivist and Secretary of State’s Office on how long the documents should be retained.
