Cyberattack Announced by Logan Health Medical Center and NHS Management

Logan Health Medical Center located in Kalispell, MT has lately begun sending notifications to some patients that hackers obtained access to a file server that stored patient data in a highly advanced criminal attack.

The hospital discovered the security breach of its IT systems on November 22, 2021. The preliminary investigation affirmed that an attacker had broken into its security defenses. Third-party forensic investigators were engaged to perform an investigation to find out the nature and extent of the attack. On January 5, 2022, it was affirmed that selected files on its systems that included patient data were viewed.

The breach was restricted to one file server and its electronic medical records were not exposed. An evaluation of the files on the impacted server showed they comprised patient records which include names, addresses, birth dates, email addresses, phone numbers, medical record numbers, insurance claim data, date(s) of service, treating/referring doctor, medical bill account number, and/or medical insurance details. The types of data found in the breached files differed from one patient to another.

Logan Health Medical Center stated no proof was uncovered that indicates any data on the compromised server was misused; nevertheless, as a safety measure, impacted people were provided free credit monitoring and identity protection services via Kroll. Logan Health Medical Center mentioned it has already enforced extra security measures to secure its systems.

The breach has not yet appeared on the HHS’ Office for Civil Rights Breach website, however, the report sent to the Maine Attorney General shows the protected health information (PHI) of around 213,543 persons was possibly compromised.

NHS Management Notifies Patients Regarding May 2021 Cyberattack

NHS Management based in Tuscaloosa, AL manages 50 long-term rehab facilities in Arkansas, Missouri, Alabama, and Florida, reported a data breach last January that was identified in May 2021. NHS Management stated in its breach notification letters that it encountered a sophisticated cyberattack, but there was no ransomware brought up. NHS Management stated the incident impacted the operation of selected systems and it worked immediately to bring back access. The attack had not affected the provision of patient care. NHS mentioned a third-party team of security professionals was gathered to look into the attack and find out the nature and extent of the incident and the investigation is in progress.

The breach report was sent to the HHS’ Office for Civil Rights on October 29, 2021 stating that 501 people were affected. This seems to be a placeholder to satisfy the HIPAA breach reporting prerequisites until all information regarding the breach is understood. NHS Management stated in its breach notice that the breach investigation is still in progress and the range and magnitude of compromised information is still not clear because of the quantity and complexity of the data involved. At this period of the investigation, no proof was found that indicates employee or patient data was misused.

The investigators confirmed that attackers acquired access to its system from May 14, 2021, to May 16, 2021, and accessed some files, nevertheless did not acquire access to electronic medical records. The files viewed included these types of information. Name, contact data, medical record, treatment/diagnosis details, health data, health insurance details, Social Security number, birth date, and driver’s license number. The types of data breached differed from one person to another.

Steps were undertaken to make sure the security of its systems to avoid more data breaches and NHS Management stated notification letters will be mailed to impacted persons when they were determined.

About Christine Garcia 1310 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA