Sometimes, what looks like an update isn’t actually an update but an initial disclosure. On January 14, the following press release appeared about an Alabama entity. Neither the press release nor the notice on the entity’s website specifically identifies this as a ransomware incident.
NHS Management, which manages 50 long-term care and rehabilitation facilities in four states, says the firm is continuing to assess and evaluate the extent of a data incident which took place in May of last year.
When the incident was discovered on May 16, 2021, NHS immediately began investigation of the sophisticated cyberattack with the assistance of a third-party team of security specialists. Employees and other known affected individuals were promptly notified of the incident and advised to take steps to secure sensitive data.
While the range and scope of the data compromised is still unclear, this cyberattack in no way affected the quality of patient care.
NHS takes very seriously the security of all data pertaining to any aspect of its operations. The process of reviewing the data that may have been accessed to identify any additional impacted individuals is ongoing. In the meantime, NHS has taken the necessary steps to help ensure the security of its data system going forward.
Anyone who desires further information about the data incident can go to the NHS webpage at nhsmanagement.com for more information.
NHS Management, LLC Provides Notice of Data Privacy Incident
NHS Management, LLC (“NHS”) is providing notice of a recent event that may affect the security of certain information. On May 16, 2021, NHS discovered that it was the victim of a sophisticated cyberattack. NHS immediately launched an investigation to confirm the full nature and scope of the incident and restore functionality to impacted systems. Through the investigation, NHS determined that an unauthorized actor may have had access to certain NHS systems between May 14, 2021 and May 16, 2021. As a result of the investigation, it was determined that certain files were potentially at risk as the result of the incident. Due to the volume and complexity of the files at issue, NHS promptly began working with a third-party data review team to perform a comprehensive review of all information contained in the impacted files. At present, the comprehensive data review is ongoing in an effort to determine what personal information may have been contained within same.
To be clear, NHS has uncovered no evidence that any employee or patient information was misused. Nevertheless, out of an abundance of caution, NHS is working to provide notice to its employees and nursing home residents and patients whose personal information was contained within the affected systems and involved in the incident. The efforts to identify potentially impacted individuals and locate contact information to directly notify those potentially impacted individuals are ongoing. Written notice will be provided to the impacted individuals as soon as practicable after those individuals are identified. Any impacted individuals identified thus far have already been notified. NHS also notified the U.S. Department of Health & Human Services’ Office for Civil Rights and federal law enforcement.
The information that may have been impacted by this incident could have included one or more of the following: an individuals’ name; address and other contact information; medical history; treatment or diagnosis information; health information; health insurance information; Social Security number, date of birth, and/or driver’s license number. However, not every data element would have been impacted for every individual, and there is no evidence of unauthorized access to the database that contains electronic medical records.
For more information, please go to the NHS website at www.nhsmanagement.com.
SOURCE: NHS Management