The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

SAC Health Theft Incident and Multiple Ransomware Attacks Reported

Posted By on May 25, 2022

Social Action Community Health System (SAC Health) has recently notified 149,940 patients that documents containing their protected health information were stolen in a break-in at an off-site storage location where patient records were stored.

The break-in was discovered on March 4, 2022, with the subsequent investigation confirming on April 22, 2022, that six boxes of paper documents had been stolen from the facility, which included files relating to patients served by SAC Health in 1997 and between 2006 and 2020.

An analysis was conducted to determine which types of information were included in the files and concluded the documents may have contained information such as names, addresses, dates of birth, and diagnosis codes. Notification letters were sent to those individuals on May 3, 2022. SAC Health said it is unaware of any actual or attempted misuse of patient data as a result of the break-in; however, as a precaution against identity theft and fraud, affected individuals have been offered complimentary credit monitoring services. SAC Health said it is conducting a review of its policies and procedures concerning the storage of paper data.

Bryan County Ambulance Authority Ransomware Attack Affects 14,000 Patients

The Bryan County Ambulance Authority in Oklahoma has recently started notifying 14,273 patients about the exposure and potential theft of some of their protected health information. According to the notification letters, the attack was detected on November 24, 2021, when files on its systems were encrypted. Immediate action was taken to prevent further unauthorized access, and third-party cybersecurity consultants were engaged to assist with the forensic investigation.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The breach notice does not indicate what types of information were stolen in the attack but says affected individuals have been offered a complimentary membership to an identity theft protection service. According to the notice, the forensic investigation and document review took until April 7, 2022, hence the delay in issuing notifications to affected individuals.

Lifespan Services Suffers Ransomware Attack

Charlotte, NC-based Lifespan Services, a non-profit provider of services to individuals with disabilities, has recently confirmed it was the victim of a ransomware attack that affected data on its servers. The attack occurred on April 12, 2022, and prompt action was taken to secure its systems.

Lifespan said it was possible to restore all encrypted data within 24 hours of the attack, but the forensic investigation confirmed on May 3, 2022, that the individuals behind the attack had accessed files containing patients’ personal information, including names Social Security numbers, Medicaid numbers, driver’s license numbers, and bank routing numbers.

Lifespan said multiple layers of protection were in place, and additional security measures have now been implemented. A complimentary one-year membership to identity theft protection services has been offered to the 8,006 individuals affected.

Vice Society Claims Responsibility for Ransomware Attack on Atlanta Perinatal Associates

The Vice Society ransomware gang has claimed responsibility for a ransomware attack on Atlanta Perinatal Associates in Georgia. Atlanta Perinatal Associates specializes in treating mothers who have high-risk pregnancies, and coordinates care with other medical providers.

The healthcare provider has not yet confirmed it was a victim of a ransomware attack; however, Vice Society has uploaded data to its leak site that was allegedly stolen in the attack. The data includes names, dates of birth, ID numbers, expected due dates, referring physician names, sonographer names, ultrasound results, drug and alcohol use histories, other health information, and some records include credit card information and health insurance information. According to databreaches.net, which reviewed some of the files, they relate to records created between 2019 and April 2022.

Since the incident has yet to be reported to regulators, it is currently unclear how many patients have been affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist