Summary of Ransomware Attacks on Healthcare Providers in Illinois and Rhode Island

This is a summary of healthcare ransomware attacks, security incidents and privacy breaches that have been reported in the past few days that have not already been covered on this website.

20,371 Patients of Center for Vitreo-Retinal Diseases Impacted by Ransomware Attack

The Center for Vitreo-Retinal Diseases located in Libertyville, IL was attacked with ransomware, resulting in the encryption of information on its servers. The center detected the attack on September 18, 2018. The investigating team suggests the attacker may have accessed the protected health information (PHI) of 20,371 patients stored on the its servers.

The reason for the attack appeared to be solely extortion. Although the attacker potentially accessed patient information, there is no evidence that the hacker viewed, stole, or misused any protected health information of patients. The PHI that was potentially accessed included patients’ names, phone numbers, addresses, dates of birth, medical insurance data, health information, and the Social Security numbers of Medicare patients.

Center for Vitreo-Retinal Diseases has now reviewed its security defenses and has implemented extra controls to prevent the occurrence of similar security breaches.

Rhode Island Health Center Attacked with Ransomware

Thundermist Medical Center located in Woonsocket, RI was attacked with ransomware on November 28. The center took immediate action to protect patient data and isolated the unaffected systems to stop further file encryption.

The health center followed its emergency procedures and continued to provide health services. There was minimal disruption for patients but there were cancellations of some appointments for safety reasons due to the inability to access healthcare records. Thundermist Medical Center believes patient information was not compromised in the attack.

Patient Names Disclosed Due to Mailing Error at Vendor of OrthoTexas Physicians and Surgeons

OrthoTexas Physicians and Surgeons, a provider of orthopedic and sports medicine services in Texas, discovered on October 5, 2018 a mailing error had occurred that resulted to the accidental disclosure of patient data to other patients.

The notification letters were sent to advise patients about a doctor who joined the practice and would treat patients at its facilities in Plano and Frisco. The letters were incorrectly dated August 27, 2018, and were also placed in incorrect envelopes by the practice’s mailing vendor.

The notification letters were sent to 2,172 patients. The name of one patient was disclosed to another patient. No other patient information was detailed in the letters.

PHI of 500 Patients Improperly Disposed of at San Mateo Medical Center

San Mateo Medical Center located in Daly City, CA, has announced that the healthcare information of up to 500 patients has been exposed as a result of an improper disposal incident.

The paper records had been placed in a box that was left overnight under an employee’s desk. Temporary cleaning staff mistook the box for documents that needed to be recycled and the paperwork was discarded with non-confidential waste. San Mateo Medical Center has specific recycling bins for paperwork containing confidential data which is sent for shredding to render the information unreadable.

The recycled paperwork contained information relating to patients who visited the Daly City center on November 5 and 6, 2018. Since the paperwork was not recovered, there was no way to know who the affected patients were and the exact information that had been exposed. San Mateo Medical Center said the information of patients was likely to have included the following data elements: Names, dates of birth, insurance codes, medical record numbers, service dates, patient account numbers, ages, patients’ gender, provider names and resource names.

San Mateo Medical Center has strengthened its policies on the disposal of sensitive data. The Daly City clinic manager has also advised employees not to leave sensitive data out overnight and to put sensitive documents in shredding bins immediately when they are no longer needed.