Healthcare Fiscal Management Inc. (HFMI) based in Wilmington, NC provides hospitals, physician groups and clinics with self-pay conversion and insurance eligibility services. HFMI encountered a ransomware attack that resulted in the exposure of the personal and protected health information (PHI) of patients of St. Mary’s Health Care System located in Athens, GA.
An unauthorized individual obtained access to HFMI systems on April 12, 2020 and launched a ransomware payload the following day which encrypted data stored on its systems. The attacker accessed systems that contain the personal and protected health information of patients who got healthcare services at St. Mary’s between November 2019 and April 2020.
The attackers potentially accessed and obtained the data of around 58,000 patients, even though data access/theft could not be verified. The PHI located on the compromised systems was restricted to names, Social Security numbers, dates of birth, account numbers, medical record numbers, and dates of service.
HFMI was prepared for this kind of event and had workable backups that were utilized to bring back data the same day to another hosting provider. A forensic investigation company was called in to investigate the breach. The forensic investigators affirmed that the attackers have no possession of the data. The data is also not accessible online.
Security experts are looking at security controls and, according to their suggestions, steps are taken to reinforce security. HFMI has provided all affected people free credit monitoring and identity theft protection services as a preventative measure against identity theft and fraud.
Phishing Attack on Friendship Community Care Impacts 9,745 Patients
Friendship Community Care (FCC) based in Russellville, AR, a nonprofit care provider of adults and kids with disabilities, suffered a phishing attack in January 2020.
FCC discovered the breach on February 4, 2020 after noticing suspicious activity in an employee’s email account. Forensic investigators assisted investigate the incident and affirmed on February 5, 2020 that an unauthorized individual had acquired access to the email account, but upon more investigation, it revealed the compromise of several Office 365 email accounts using credentials obtained in the phishing attack.
FCC discovered on February 7, 2020 that the email accounts consist of protected health information. A thorough analysis of the email accounts confirmed the potential access of 9,745 people’ PHI, though there is no evidence found that suggests the attacker viewed or obtained the emails.
The compromised accounts included names, dates of birth, addresses, client ID numbers, Medicare IDs/Medicaid IDs, patient numbers, medical details, Social Security numbers, employer ID numbers, state ID card numbers, driver’s license numbers, student ID numbers, mother’s maiden names, birth certificates, marriage certificates, disability codes, facial photographs and financial account data.
FCC offered complimentary credit monitoring and identity protection services to affected people. An evaluation of email security was carried out, and steps are being done to improve security to avoid similar breaches in the future.