A Maryland hospital has notified 30,704 patients of a January ransomware attack that resulted in network outage issues and potentially compromised protected health information (PHI). While interruption to patient care was limited, certain operations were temporarily closed, including the outpatient walk-in lab, pulmonary function testing, outpatient imaging, and RediScripts.
Upon discovering the event on March 6, the hospital moved quickly to investigate and respond to the incident, assess the security of the hospital systems, and identify potentially affected individuals. The investigation revealed that the breach occurred January 20–29, 2023, during which time there was unauthorized access to certain servers and files. PHI including names, Social Security and medical records numbers, financial account information, treating/referring physician, and health insurance information were contained in the impacted files.
The president of the hospital said there had been extensive measures in place before the attack, and there were even more in place now. He said organizations had to be prepared as cyberattacks had become a business.
The hospital advised patients to remain vigilant of account statements and credit reports for any suspicious activity or errors. They have also offered 12-month credit monitoring and identity protection services.
Compliance Perspective
Issue
The healthcare sector is one of the largest victims of ransomware due to its vulnerability to breach of confidentiality and the critical nature of online patient records. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and their business associates conduct a risk assessment of their healthcare organization. The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. It is imperative that all nursing facilities become proactive in preventing ransomware attacks to avoid data breaches which are reportable in terms of HIPAA requirements.
Discussion Points
- Review policies and procedures related to HIPAA, PHI, the Privacy Rule, and data integrity. Ensure that they address how to avoid falling prey to security breach efforts by unauthorized individuals, and how to guard against and detect malicious software. Update as new information becomes available.
- Train appropriate staff on HIPAA, PHI, and the Privacy Rule, including how to avoid phishing schemes, malware exposures, unauthorized release of PHI, and how to detect malicious software and report such detections. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred, and file the signed training document in each employee’s education file.
- Periodically audit to ensure that staff are adhering to data integrity security measures, that all new hires and current staff receive HIPAA training, and to ensure that the facility’s policies and procedures for HIPAA, PHI, and privacy are being followed.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
