The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Tallahassee Memorial Healthcare: Patient Data Stolen in Cyberattack

Posted By on Apr 5, 2023

Tallahassee Memorial Healthcare (TMH), a non-profit health system serving patients in North Florida and South Georgia, experienced a cyberattack in late January that forced it to operate under emergency downtime procedures for around two weeks. According to the TMH breach notification, unusual system activity was detected on February 3, 2023, and its systems were secured. A third-party cybersecurity firm was engaged to investigate the breach and determined that unauthorized individuals had access to its systems between January 26 and February 2, 2023, and exfiltrated files during that time. Cyberattacks such as this often involve ransomware, although it is unclear if ransomware was used in this attack. TMH did not share further information on the exact nature of the attack.

The review of the stolen files has now been completed and affected individuals started to be notified about the incident on March 31, 2023. The information that was viewed or obtained included names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers, patient account numbers, and/or limited treatment information. TMH confirmed that its electronic medical record system was not accessed in the attack.

The data breach has been reported to the HHS’ Office for Civil Rights as affecting 20,376 individuals. Complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security numbers were included in the breached data.

Guam Memorial Hospital Investigating Cyberattack

Guam Memorial Hospital (GMH) is investigating a cyberattack that saw unauthorized individuals gain access to its network. The security breach was detected on March 2, 2023, and steps were immediately taken to secure its systems. Efforts are underway to restore its systems and its firewalls have been replaced. GMH legal counsel Jeremiah Luther confirmed that the investigation will be completed within 60 days and notifications will be issued if it is determined that patient data was involved. Luther said no patient or employee information appears to have been compromised.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Luther said a network security flaw was identified and that flaw appears to have been exploited to gain access to its network and there is evidence that suggests multiple instances of unauthorized access. GMH has reported the breach to the FBI and Homeland Security and information has been provided on a suspect. No further information about the exact nature of the attack has been released. Once systems have been restored, Luther said Homeland Security will conduct an assessment of security and will make recommendations on any areas where security should be improved.

Top of the World Ranch Treatment Center

Top of the World Ranch Treatment Center, a Milan, IL-based provider of addiction treatment programs, has started notifying 1,980 individuals that some of their protected health information was contained in a business email account that was accessed by an unauthorized individual for several hours on November 17, 2022.

A review of the account confirmed it contained sensitive data such as names, Social Security numbers, diagnosis and treatment information, provider names, patient identification numbers, and health insurance information. The investigation was unable to confirm whether that information was viewed or acquired, but as a precaution, affected individuals have been offered complimentary identity theft protection and credit monitoring services for 12 months. Security policies have been reviewed with respect to email security and additional training has been provided to employees.

Merritt Healthcare Advisors – Email Account Breach

The Ridgefield, CT-based healthcare advisory firm, Merritt Healthcare Advisors, has recently reported a data breach to the California Attorney General that exposed the data of some of its healthcare clients. On November 30, 2022, Merritt discovered a single employee email account had been accessed by an unauthorized individual between July 30, 2022, and August 25, 2022. Notification letters were sent to affected individuals on February 28, 2023. Complimentary credit monitoring and identity theft protection services have been offered to affected individuals.

The HHS’ Office for Civil Rights breach portal indicates 77,258 individuals were affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist