Mar 132019

CBC News reports:

One employee at Hawkesbury General Hospital has been let go after personal information was improperly accessed, Radio-Canada has learned.

Patients who had their information viewed were recently informed in a letter.

Chantal Groleau, one of the people who received a letter, was told her personal information was viewed between March 2016 and October 2018.

Read more on CBC News.

Mar 132019

On February 25,  Pasquotank-Camden Emergency Medical Service in North Carolina reported a breach to HHS that affected 20,420 patients.  A notification sent to the Vermont Attorney General’s Office explained that sometime in late December, 2018, the county became aware of an unauthorized intrusion from outside of the U.S.  Investigation revealed that the intruder was able to access files with protected health information, but they found no evidence that data was exfiltrated or misused.  The county notified all those potentially impacted and offered them 12 months of credit monitoring and credit restoration services, should they be needed.

A few days later, however, Jon Hawley of the Daily Advance reported on the incident, but reported that it was 40,000 patients affected as per the county’s most recent statement that week.  Hawley also provided additional details, including the facts that the hack had occurred on December 14, that the hacker had erased files, and there had been no ransom demand.

Of special note:

Hammett said the hacker exploited a vulnerability in the county’s billing software, provided by the company TriTech, and tricked it into considering the hacker a normal user. That allowed the hacker to access records as far back as 2005, though most dated back to 2010, Hammett said.

Some of the text files the hacker viewed were thousands of pages long, Hammett said, making it a long process to review what information had been compromised, who should be notified, and how.

“Russy,” a regular reader of and contributor to this site, notes that in 2018, TriTech merged with Superion to form CentralSquare. Superion/CentralSquare is the company behind Click2Gov, the billing software many municipalities use. But unless I’m misuinderstanding something, this does not appear to be the same vulnerability involved in Click2Gov breach reports, as Hawley cites the county manager Sparty Hammett as telling him that TriTech “was not aware of the vulnerability, and has closed it. ”

Hammett also informed the paper that the county may move EMS data to TriTech’s cloud, rather than store it locally, or switch to another software entirely.

EMS Director Jerry Newell  said the data breach did not hinder ambulance response, and the agency was able to quickly restore the lost data.  It sounds like the county had learned important lessons from a previous and severe attack in May, and was now better prepared in a number of ways.

Read more on The Daily Advance.

Mar 122019

On September 11, 2018, Maffi Clinics in Arizona joined the ranks of those attacked by ransomware.

From their notification letter (see below), it appears that the clinic was prepared and quickly implemented their incident response plan.

The consulting firm promptly identified the unauthorized access point and terminated it; isolated and removed the ransomware; and restored all of our data. The consulting firm also determined the unauthorized access began approximately 5 hours before the system was shut down, at which point the access ended. The consulting firm found no evidence any of our data was viewed or downloaded and, to date, we have not received any ransom request.

In the proverbial “abundance of caution,” the clinic decided to mail written notices to all patients.  Their submission to HHS indicates that came to 10,465 patients.

You can read the full notification letter below.

Mar 122019

On February 26, Delaware Guidance Services for Children and Youth, Inc. (“DGS”) sent a letter to parents and guardians of their young patients. The letter explained that on December 25, 2018, DGS had become the victim of a ransomware attack that had locked up the patient records. Those records contained personal information, such as name, address, birth date, social security number, and medical information.

To secure release of the records, DGS was required to pay a “ransom,” in exchange for a de-encryption “key” that unlocked the records.

Their notification letter, signed by their Executive Director, Jill Rogers, MSN, does not say how much DSG paid for the decryption key.

Subsequent investigation did not provide any indication that records had been accessed, corrupted, or exfiltrated, but DGS decided to notify everyone and to offer them credit monitoring services and other  supports.

You can read their full notification letter below. DSG does not explain why they opted to pay ransom. Did they not have a current backup that they could use to restore their database or was their some other reason or concern?

Patient Privacy Letter 2019
Mar 122019

Direct Scripts, a pharmacy benefit management service provider in Ohio, recently notified more than 9,300 patients after discovering that they had been the victim of a ransomware attack.

Direct Scripts became aware of the attack on January 30, and immediately launched an investigation to determine what had happened and if any patient protected health information had been accessed or acquired.  A notice on their web site dated February 22 explains:

The  information potentially involved may include customer names, addresses, and prescription information, but the impacted server did not and does not store customer Social Security numbers or credit card information. While there is no evidence that any sensitive or personal information has been misused, Direct Scripts has sent notification letters to all potentially impacted customers.

Based on their investigation, Direct Scripts states that they do not believe any customers’ personal information was at risk, but they have created a web site and have other support available to those with questions or concerns. Their full notification can be found here.