CHI Health in Omaha, NE, a 14-hospital health system, had a ransomware attack, which led to the potential exposure of the protected health information (PHI) of close to 48,000 patients.
CHI Health became aware of the attack on August 1, 2019. The old electronic health record system was affected in particular the medical records of patients who obtained healthcare services at the Lakeside Orthopedic Clinic operated by CHI Health prior to April 2016.
According to the investigation reports, the attack led to the encryption of the database associated with the EHR system. Although it is very probable that the attackers accessed or duplicated patient information, no evidence could prove the access or exfiltration of data without authorization. There’s also no report received that would point to patient data misuse. The only reason behind the ransomware attack appears to be the demand for ransom payment.
The following kinds of information were held in the database: patient names, birth dates, phone numbers, addresses, diagnoses data, treatment information, other medical information and Social Security numbers.
CHI Health notified the affected patients via mail and submitted the breach report to the Department of Health and Human Services’ Office for Civil Rights and other regulatory authorities.
As a safety measure, CHI Health offered credit monitoring and identity theft protection services for free for one year to the affected patients. Further mitigation steps were employed to ensure similar breaches will be avoided here on.