Patient Data Potential Compromise Due to Ransomware Attacks on Monterey Health Center and Magnolia Pediatrics

Monterey Health Center in Milwaukie, OR encountered a ransomware attack, which began on August 12, 2019. Because of the incident, its electronic health records system was encrypted and made patient information inaccessible.

With the assistance of a third-party provider, the Monterey health center finished restoring all patient data without delay and carried on its work of providing patient care. It is unsure if the recovery of the health records was because of the system backups or the payment of the ransom demand.

To determine if there was patient data copied by the attackers, a third-party forensic team began investigating. The investigation findings uncovered no evidence of data exfiltration, yet unauthorized data access could not be completely eliminated. So far, there are no information received concerning the misuse of any patient data.

The informatioin likely exposed included: patient names, birth dates, addresses, Social Security numbers, driver’s license numbers, medical histories, diagnoses information, laboratory test findings, treatment details, prescribed drugs, medical insurance information, claims records, and financial account information.

Monterey Health Center sent notifications to all persons affected by the breach and gave instructions on improving their security. Third-party professionals, alongside the health center, will not stop in making sure that the systems and records of the patients medical and personal information cannot be accessed by unauthorized persons.

Magnolia Pediatrics Ransomware Attack

Magnolia Pediatrics in Prairieville, LA encountered a ransomware attack on August 23, 2019. The protected health information (PHI) of patients when affected by file encryption.

A third-party computer forensics service assisted the pediatric practice in the investigatioins. It was found out that patient information was not removed from the systems during the attack. Even if data theft is not suspected, it can’t be definitely ruled out that no unauthorized person accessed or stole patient data.

The encrypted computer system had patient information such as names, phone numbers, addresses, medical record numbers, clinical information, diagnoses, lab test findings, diagnoses, prescribed medications, medical histories, health insurance information, dates of service, names of treating doctors, and Social Security numbers.

Magnolia Pediatrics had submitted an incident report to the Federal Bureau of Investigations and investigation is still in progress. The practice already took steps to reinforce security and prevent similar attacks again. All impacted patients already got breach notification letters.

About Christine Garcia 1297 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA