24,500 Patients’ PHI Exposed Due to Cyberattacks on Connecticut Eye Clinic and Chaplaincy Health Care

A ransomware attack on Dr. DeLuca Dr. Marciano & Associates, P.C., an eye care clinic located in Prospect, CT., has resulted in the encryption of patient files containing protected health information (PHI).

The ransomware attack happened on November 29, 2018. The clinic immediately shut down the network to stop the malware from spreading; however, that did not prevent the encryption of files stored on two servers. A ransom demand was received but the clinic did not make any payment. The clinic recovered the encrypted files successfully from backups.

The investigation of the breach revealed patient information was potentially accessed by the attackers. Patient information included in the compromised files was limited to names, Social Security numbers, and certain treatment data.

Dr. DeLuca Dr. Marciano & Associates made the following improvements to cybersecurity to prevent further attacks: Blocking remote network access, using technical solutions to secure against ransomware, and improving its anti-virus software.

Although no evidence was uncovered that confirmed PHI access or data theft, the clinic has sent notification letters by mail to all persons whose PHI was potentially exposed. Free credit monitoring and identity theft protection services have been offered to breach victims.

The appropriate authorities have been informed of the ransomware attack. The Department of Health and Human Services’ Office for Civil Rights (OCR) breach portal indicates 23,578 patients were impacted by the breach.

Chaplaincy Health Care Email Account Breach Reported

A phishing attack on the southeast Washington not-for-profit hospice, palliative care, and chaplain services provider Chaplaincy Health Care has resulted in an unauthorized person gaining access to an employee’s email account that contained patients’ PHI.

Chaplaincy Health Care discovered the phishing attack on November 20, 2018. With the help of a third-party computer forensics company, Chaplaincy Health Care established that an unauthorized individual gained access to a single email account for a period of approximately 4 hours.

The email messages in the account included patients’ names, addresses, birth dates, medical record numbers, prescription medication details, dates of service, and the final 4 digits of Social Security numbers.

All affected patients were sent breach notification letters on January 3, 2019. Chaplaincy Health care has offered free credit monitoring and identity theft protection services to the breach victims.

Chaplaincy Health Care has provided its employees further training on email security and has implemented two-factor authentication to safeguard against unauthorized account access. The breach report sent to OCR indicates 1,086 patients were potentially affected by the breach.