DataBreaches.net

DataBreaches.net

The Office of Inadequate Security

Menu
  • Breach Laws
  • About
  • Donate
  • Contact
  • Privacy
  • Transparency Reports
Menu

One year later, Minimally Invasive Surgery of Hawaii notifies patients of ransomware incident

Posted on February 22, 2022 by Dissent

A notification letter template that showed up on the California Attorney General’s site this week is dated “February 19, 2021.”  I assume the 2021 is a typo based on the rest of the letter.

The letter from Orthopedic Associates of Hawaii (OAH) begins (emphasis added by this site):

Orthopedic Associates of Hawaii, All Access Ortho and Specialty Suites d/b/a Minimally Invasive Surgery of Hawaii (collectively “the Practices”) write to inform you of a recent event that may affect the security of some of your information.

“Recent event?” If you read the full notification letter (embedded below), you find that the incident occurred on February 12, 2021 and was discovered on February 19, 2021.  Yes, 2021 — one year ago.  This was not a  “recent” event at all.

Reading further, it appeared that this was a ransomware incident. It is not clear from the notice who the attackers were and whether any ransom was paid to get a decryption key. OAH states that HHS has been notified, but their notice has not yet shown up on HHS’s public breach tool as of the time of this publication, so we do not yet know how many patients were notified.

But then there was also this part of their notification that resulted in some teeth-grinding here (emphasis added):

On or around April 2, 2021, the investigation confirmed certain systems were accessible by an unknown actor between February 12, 2021 and February 19, 2021, and certain, limited data was downloaded. In an abundance of caution, we performed a comprehensive review of the information stored in our systems at the time of event to identify the individuals whose information may have been impacted.

“In an abundance of caution?” Seriously? Finding out who had their data compromised or potentially downloaded and who needed to be notified under applicable federal and state laws does not qualify as an “abundance of caution” by my standards.

I suspect this incident will result in a potential class-action lawsuit given the delay in notification, but that doesn’t mean that any suit will prevail.  According to the letter signed by Jessica Drew, Nurse Manager for The Practices, they have no indication of any misuse of patient data, but the types of information in the system at the time of the breach included:

full name, address, date of birth, medical treatment and diagnosis information, health insurance information, and for a limited number of individuals, Social Security number.

OAH is offering those impacted some mitigation services with Experian Identity Works, but the support appears to be available from the date of the letter. But is that 2021, then, or 2022?

OAH- Sample Notice

Related Posts:

  • Hawaii Considers Amendments To Data Breach Notification Law
  • Credit card, personal info targeted in Hawaii tour…
  • Hackers Hit Hawaii First FCU
  • Thousands Affected by Ransomware Attack on Hawaii Company
  • More than 200 FFD workers warned personal info may…

Post navigation

← Sg: Ex-deputy lead of MOH data unit jailed for leaking daily Covid-19 case numbers in 2020
Report: Missouri Governor’s Office Responsible for Teacher Data Leak →

Sponsored or Paid Posts

This site doesn’t accept sponsored posts and doesn’t respond to requests about them.

Have a News Tip?

Email:

Breaches[at]Protonmail.ch
Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Telegram: @DissentDoe

Browse by News Section

Latest Posts

  • Ransomware attack on indie game maker wiped all player accounts
  • Hospitals in multiple states diverting patients after Ardent Health Services hit with ransomware attack
  • DHS/CISA and UK NCSC Release Joint Guidelines for Secure AI System Development
  • Henry Schein re-encrypted by BlackCat again
  • Europe’s grid is under a cyberattack deluge, industry warns
  • Municipal Water Authority of Aliquippa hacked by Iranian-backed cyber group
  • Ransomware group leaks data allegedly from Granger Medical Clinic
  • IBM, Johnson & Johnson Hit With Second Health Data Breach Suit

Please Donate

If you can, please donate XMR to our Monero wallet because the entities whose breaches we expose are definitely not supporting our work and are generally trying to chill our speech!

Donate- Scan QR Code   Donate!

Social Media

Find me on Infosec.Exchange.

I am also on Telegram @DissentDoe.

RSS

Grab the RSS Feed

Copyright

© 2009 – 2023, DataBreaches.net and DataBreaches LLC. All rights reserved.

HIGH PRAISE, INDEED!

“You translate “Nerd” into understandable “English” — Victor Gevers of GDI Foundation, talking about DataBreaches.net

©2023 DataBreaches.net