Breaches at Mat-Su Surgical Associates and The Little Clinic

Mat-Su Surgical Associates based in Palmer, AK made an announcement that it encountered a ransomware attack in March. The staff discovered the attack on March 16 after being locked out of the computer systems because of the encryption of important files.

A team of independent computer forensics investigators evaluated the nature and magnitude of the attack and to find out whether the attackers accessed or stole any patient data. It was not possible to know whether the attacker was able to exfiltrate data or view patient information prior to encrypting the files, nevertheless, the investigators couldn’t eliminate unauthorized data access. The attacker was driven to have acquired access to areas of its computer system that stored the protected health information (PHI) of 13,146 patients.

The following information were possibly exposed in the attack: names of current and former patients of Mat-Su Surgical Associates and Valley Surgical Associates together with addresses, diagnoses, treatment data, lab test results, health insurance data, Social Security numbers, and other details associated to the received medical care.

Mat-Su Surgical Associates sent notification letters by mail to all affected patients and offered them complimentary membership to credit monitoring and identity theft protection services through ID Experts.

Mat-Su Surgical Associates also made appropriate security improvements, including employing additional measures to prevent unauthorized remote access to its systems.

PHI Exposed Due to an Online Appointment System Bug

The Little Clinic, which has a network of more than 215 medical care clinics located in Kentucky, Kansas, Ohio, Tennessee, Arizona, Colorado, Georgia, Indiana, and Virginia, uncovered a bug in its internet-based appointment system that potentially allowed the unauthorized disclosure of patients’ PHI.

The Little Clinic found the bug and determined that it was introduced on October 7, 2018. The network corrected the issue on February 13, 2020 and implemented measures to avoid similar breaches later on.

Because of the coding error, if a patient made an appointment and later changed it online, the patient’s name, date of birth, address, and telephone number may be accessed by other domains. The investigation findings revealed that around 10,974 patients were possibly affected and may have had a few of their personal information disclosed.

The Little Clinic did not find any evidence to suggest the access or misuse of patient data nevertheless decided on April 7, 2020 that the incident was considered as a data breach. Therefore, the clinic notified by mail all individuals potentially affected.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at