The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Hacking Incidents Reported by Atlantic General and Lawrence General Hospitals

Posted By on Mar 29, 2023

A round-up of data breaches that have recently been reported to the HHS’ Office for Civil Rights, state Attorneys General, and the media.

Atlantic General Hospital – Ransomware Attack

Atlantic General Hospital (AGH) in Berlin, MD, has recently reported a ransomware attack to the Maine Attorney General that has affected up to 30,704 individuals. The attack was detected on January 29, 2023, when files were discovered to have been encrypted. A third-party computer forensics firm was engaged to assist with the investigation and determined that there was unauthorized access to files containing patient information from January 20, 2023.

The review of those files was completed on March 6, 2023, and confirmed they contained names, Social Security numbers, financial account information, and one or more of the following data types: medical record number, treating/referring physician, health insurance information, subscriber number, medical history information, or diagnosis/treatment information.

Notification letters were mailed to the affected individuals on March 24, 2023. Affected individuals are entitled to enroll in credit and identity monitoring services for 12 months at no cost. AGH has provided additional training to employees and is working on implementing additional safeguards to prevent similar attacks in the future.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The incident has since been reported to the HHS’ Office for Civil Rights as involving the protected health information of 26,591 individuals.

Lawrence General Hospital – Hacking Incident

Lawrence General Hospital in Massachusetts recently reported a HIPAA compliance data breach to the HHS’ Office for Civil Rights that has affected 76,571 individuals. Little is known about the breach, which was reported to OCR on February 23, 2023, as a hacking/IT incident. As of March 29, 2023, a notice has not been added to the hospital website and the breach has not been listed on the Massachusetts Attorney General breach portal.

OU Health – Stolen Laptop Computer

OU Medicine Inc. in Oklahoma has reported a breach of the protected health information of 3,013 OU Health patients. On December 26, 2022, an employee’s laptop computer was stolen. A review was conducted of the data believed to be present on the laptop, and on January 17, 2023, OU Health determined that emails may have been accessible that included patient data such as names, birth dates, Social Security numbers, driver’s license numbers, account numbers, medical record numbers, provider names, dates of service, health insurance information, and diagnosis and treatment information.

While there have been no reported instances of misuse of patient data, OU Health could not rule out unauthorized access to patient data. All affected individuals have been notified and complimentary credit monitoring services have been offered to individuals whose Social Security numbers were exposed.

Majestic Care – Hacking incident

Majestic Care, a provider of community-based skilled nursing throughout Indiana, Ohio, and Michigan, has confirmed that it was the victim of a hacking incident in December 2022 that disrupted access to its information systems. The security breach was detected on December 13, 2022, and resulted in access to its information systems being prevented until December 16, 2022.

The forensic investigation confirmed the disruption was caused by malicious software on its systems which was installed by an unauthorized individual who first gained access to the network on December 9, 2022. On February 3, 2023, it was confirmed that there may also have been unauthorized access to and exfiltration of files containing personal and protected health information, including names, mailing addresses, birth dates, telephone numbers, Social Security numbers, driver’s license numbers, and information related to treatment and payment for healthcare.

The breach affected 2,636 individuals who received services through Majestic Care Middletown Assisted Living LLC in Indiana.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist