SC: Sandhills Medical Foundation notifies patients of vendor breach
Updated 3/6/2021: Sandhills reported this incident to Maine as impacting 39,602 patients, total.
Sandhills Medical Foundation has posted a notice of a data security incident on their web site, reproduced below. Based on the dates and description, it appears that this is the Netgain Technology LLC data breach that has previously been noted on DataBreaches.net as affecting Ramsey County and Woodcreek Provider Services. As reported this week, Woodcreek is notifying more than 200,000 patients, but their report is not yet listed on HHS’s public breach tool. Sandhills Medical Foundation’s report is also not yet on HHS’s breach tool and we have no numbers for them as yet. It’s possible that we may see one report from Netgain Technology LLC to HHS as the business associate or vendor, but in any event, it seems clear that details about the impact of this incident are still emerging. This breach is a useful example, though, of what can happen and at how many points the entity might have been able to thwart or avoid the biggest part of the breach. Had employee email not been compromised in September… had the attackers not been able to access the system in November.. had the attackers exfiltrating data been detected and blocked… had the attackers been kicked out before they could deploy ransomware on December 3…. This is another one of those “if only” breaches….
Notice of Data Breach
At Sandhills Medical Foundation, Inc., we value our patients and their privacy. This notice is to inform our patients about an incident that involved their personal information.
Sandhills Medical Foundation, Inc. (“Sandhills”) uses an outside vendor to provide electronic data storage for some of its scheduling, billing, and reporting systems. On January 8, 2021, the vendor informed Sandhills that the vendor experienced a ransomware attack that affected Sandhills’ systems and the data stored in them. The vendor’s investigation showed that the attackers used compromised credentials to access their system on September 23, 2020. The attackers accessed Sandhills’ systems on November 15, 2020, and exfiltrated (took) Sandhills’ data before the ransomware attack was launched on December 3, 2020.
What Information Was Involved
Sandhills determined that patient medical records, lab results, medications, credit card numbers and bank account numbers were NOT affected. The affected data included patient names, dates of birth, mailing and email addresses, driver’s licenses, and Social Security numbers. It also included claims information which could be used to determine patient diagnoses/conditions.
What We Are Doing
The vendor reported the attack to law enforcement and hired a cybersecurity firm to investigate and respond to the attack. The vendor paid the attackers to return the data and received assurances that copies of the data were deleted/destroyed. Since the attack, the vendor has implemented additional security measures.
Sandhills reported the breach to the U.S. Department of Health and Human Services, Office for Civil Rights; to the South Carolina Department of Consumer Affairs; and to the national credit reporting agencies. Sandhills sent a letter to each affected patient describing the incident and offering one year of free credit monitoring and identity theft protection.
For questions about how to enroll in the free credit monitoring and identity theft protection services, affected patients should call 1-888-236-0854. To speak directly with Sandhills’ Compliance Officer about this incident, patients should call 1-800-688-5525.