Ransomware Attack at Fitzgibbon Hospital Affects 112,000 Patients
Back in June 2022, HIPAA Journal reported on a cyberattack on Fitzgibbon Hospital in Marshall, MO, after being contacted directly by a spokesperson for a threat group called DAIXIN Team, who claimed responsibility for the attack. That individual said the hospital’s systems had been compromised and 40GB of data had been exfiltrated, which included files containing patient names, dates of birth, medical record numbers, patient account numbers, Social Security numbers, and medical and treatment information. Some of that information was released on the group’s dark web data leak site.
6 months after the attack, the hospital has now confirmed that a data breach occurred involving the protected health information of 112,072 patients. According to Fitzgibbon Hospital, the attack was detected on June 6, and an investigation was immediately launched to determine the nature and scope of the breach. Third-party cybersecurity professionals were engaged to investigate and, according to the December 2022 breach notice, that investigation is still ongoing. Fitzgibbon Hospital said it discovered on December 1, 2022, that some patient data had been compromised in the attack including “full names, Social Security numbers, driver’s license numbers, financial account numbers, health insurance information, and/or medical information,” with the data involved varying from individual to individual.
Fitzgibbon Hospital said it is unaware of any misuse of the stolen data at the time of issuing notifications to patients, which were sent on December 30, 2022, and that, “out of an abundance of caution,” individuals whose Social Security numbers were involved have been offered complimentary credit monitoring services. Fitzgibbon Hospital confirmed that it had taken many steps to protect patient information prior to the cyberattack and continually evaluates and modifies its practices to enhance the security and privacy of its patients’ information. This includes the education and counseling of its workforce regarding patient privacy matters.
Howard Memorial Hospital Announces December 2022 Cyberattack
Howard Memorial Hospital in Nashville, AR, has recently announced that it detected suspicious activity within its computer network on December 4, 2022. Prompt action was taken to secure the network and investigate to determine the nature and scope of the incident, with third-party cybersecurity professionals engaged to assist with that process. On December 29, 2022, the hospital confirmed that unauthorized individuals had gained access to its network on November 14, 2022, and access remained possible until December 4, 2022, when its network was secured.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
During that time the threat actor had access to and exfiltrated certain files, some of which contained patient information. Howard Memorial Hospital has confirmed that up to 53,668 individuals were affected by the breach, which exposed information such as names, contact information, dates of birth, and Social Security numbers have been affected, along with employee data that may also have included direct deposit bank account information. Notification letters will be sent to affected individuals when they have been identified and up-to-date contact information has been obtained.
