Hacking Incidents Reported by Atlantic General and Lawrence General Hospitals
A round-up of data breaches that have recently been reported to the HHS’ Office for Civil Rights, state Attorneys General, and the media.
Atlantic General Hospital – Ransomware Attack
Atlantic General Hospital (AGH) in Berlin, MD, has recently reported a ransomware attack to the Maine Attorney General that has affected up to 30,704 individuals. The attack was detected on January 29, 2023, when files were discovered to have been encrypted. A third-party computer forensics firm was engaged to assist with the investigation and determined that there was unauthorized access to files containing patient information from January 20, 2023.
The review of those files was completed on March 6, 2023, and confirmed they contained names, Social Security numbers, financial account information, and one or more of the following data types: medical record number, treating/referring physician, health insurance information, subscriber number, medical history information, or diagnosis/treatment information.
Notification letters were mailed to the affected individuals on March 24, 2023. Affected individuals are entitled to enroll in credit and identity monitoring services for 12 months at no cost. AGH has provided additional training to employees and is working on implementing additional safeguards to prevent similar attacks in the future.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The incident has since been reported to the HHS’ Office for Civil Rights as involving the protected health information of 26,591 individuals.
Lawrence General Hospital – Hacking Incident
Lawrence General Hospital in Massachusetts recently reported a HIPAA compliance data breach to the HHS’ Office for Civil Rights that has affected 76,571 individuals. Little is known about the breach, which was reported to OCR on February 23, 2023, as a hacking/IT incident. As of March 29, 2023, a notice has not been added to the hospital website and the breach has not been listed on the Massachusetts Attorney General breach portal.
OU Health – Stolen Laptop Computer
OU Medicine Inc. in Oklahoma has reported a breach of the protected health information of 3,013 OU Health patients. On December 26, 2022, an employee’s laptop computer was stolen. A review was conducted of the data believed to be present on the laptop, and on January 17, 2023, OU Health determined that emails may have been accessible that included patient data such as names, birth dates, Social Security numbers, driver’s license numbers, account numbers, medical record numbers, provider names, dates of service, health insurance information, and diagnosis and treatment information.
While there have been no reported instances of misuse of patient data, OU Health could not rule out unauthorized access to patient data. All affected individuals have been notified and complimentary credit monitoring services have been offered to individuals whose Social Security numbers were exposed.
Majestic Care – Hacking incident
Majestic Care, a provider of community-based skilled nursing throughout Indiana, Ohio, and Michigan, has confirmed that it was the victim of a hacking incident in December 2022 that disrupted access to its information systems. The security breach was detected on December 13, 2022, and resulted in access to its information systems being prevented until December 16, 2022.
The forensic investigation confirmed the disruption was caused by malicious software on its systems which was installed by an unauthorized individual who first gained access to the network on December 9, 2022. On February 3, 2023, it was confirmed that there may also have been unauthorized access to and exfiltration of files containing personal and protected health information, including names, mailing addresses, birth dates, telephone numbers, Social Security numbers, driver’s license numbers, and information related to treatment and payment for healthcare.
The breach affected 2,636 individuals who received services through Majestic Care Middletown Assisted Living LLC in Indiana.