Ransomware Attack on the University of Tennessee Health Science Center
The University of Tennessee Health Science Center (UT-HSC) reported a potential exposure and theft of the protected health information (PHI) of 19,353 patients due to a cyberattack on its vendor. Those who got obstetrics and gynecology (OB/GYN) services at Regional One Health (ROH) were impacted.
UT-HSC partnered with KMJ Health Solutions to provide a patient handoff software program for its services to OB/GYN patients and make sure they get the proper care when they are moved to another healthcare provider. UT-HSC received notification from KMJ on or about November 29, 2023, regarding a security incident uncovered while inspecting a server outage. KMJ deleted and reformatted the server and engaged a cybersecurity company to look into the incident but the company cannot confirm the unauthorized access. On January 18, 2024, Liquid Web, KMJ’s hosting provider, discovered a ransomware attack but cannot confirm if the attackers exfiltrated a copy of the data kept in the eDocList.
The potentially affected persons got OB/GYN services at ROH from November 2014 to November 2023. The data potentially exposed included first and last name, age, date of admission, medical record number, allergies, service, resident assigned, parity, prenatal provider, diagnoses, lab results, prescriptions, fetal or delivery data, contraception, type of infant feeding, and details of follow up care.
KMJ has applied new technical safety measures such as penetration testing, vulnerability scans, and configuration analysis. Because of the type of compromised data, UT-HSC believes there is no significant threat of identity theft or credit problems; nevertheless, the impacted individuals were instructed to check for any communication such as letters, email messages, or telephone calls, from unknown persons needing information about any of the services obtained from ROH.
Cyberattack on Jackson Medical Center
Jackson Medical Center in Alabama has informed 509 individuals regarding the compromise of their PHI in a cyberattack that affected the availability of some of its IT systems. The cyberattack was discovered on February 22, 2024. Third-party forensics specialists looked into the attack and confirmed the unauthorized access to its system by a third party from February 17, 2024 to February 22, 2024. At that period, files were viewed or deleted from its system.
An analysis of the impacted files showed on March 8, 2024 that they included patients’ PHI such as names and at least one of these data: contact details, birth dates, state ID or driver’s license numbers, diagnoses, treatment data, and/or medical insurance data. Notification letters were sent to the affected patients and free identity monitoring services were provided to patients whose driver’s license numbers, Social Security numbers, or state ID numbers were possibly impacted. Jackson Medical Center stated extra safety and technical measures were applied to secure further and keep track of its systems.
Improper Disposal of Moveable Feast Documents
The non-profit company, Moveable Feast based in Baltimore, MD provides health care to persons who have HIV/AIDS and other life-threatening medical conditions. It found out that documents with sensitive information were thrown into the garbage inappropriately. Moveable Feast’s guidelines demand that sensitive files be put in shredding bins. However, some were thrown in regular recycling bins by mistake. The HIPAA violation was detected after the recycling bin placed at the curb pickup turned over scattering the contents.
The employees gathered almost all the files, but several pages were lost. The lost pages contained the data of 568 persons such as their client number, name, gender, nationality, and age. Some Moveable Feast clients also had the last 4 numbers of their Social Security numbers included in the lost pages. The provider sent notification letters to all impacted persons and 12 months of credit monitoring services were made available for free. Employees also received HIPAA training on handling sensitive information.