A hospital in Nevada has reported that a ransomware attack in the early Summer of 2021 affected the data of 1,300,00 people. The organization stated that the incident only lasted one day, but the attackers were able to compromise some files on network servers.
The compromised files did contain protected health information (PHI) and personally identifiable information, potentially including:
- Demographic information (name, address, date of birth, and Social Security Number)
- Clinical information (history, diagnosis, and test results)
- Financial information (insurance numbers)
The Nevada hospital reported that it has no evidence to date that the cybercriminals accessed any clinical systems, including those connected to its electronic health records. The hospital representative said that out of an abundance of caution, they will directly notify every person potentially affected by the cyberattack and provide them with complimentary access to identity protection services.
Analysts point to REvil, a Russia-linked ransomware group, as the culprit. The group has reportedly extorted upwards of $12 million from victims in 2021. Just after the Nevada hospital attack, the REvil group posted images of driver’s licenses, passports, and Social Security cards of around half a dozen alleged victims on its website. However, after the Nevada hospital attack, the group vanished from the internet.
In a statement, the Nevada hospital representative said that they notified the FBI and the local police department. Additionally, they are engaging in a number of security initiatives, including working closely with external cybersecurity professionals and updating internal and external technology solutions to further safeguard the hospital against cyberattacks.
An Ohio-based class action law firm announced that it was investigating claims on behalf of breach victims. The firm is encouraging those who received a notification about the breach to contact its attorneys about potential legal remedies.
Issue:
The healthcare sector is now one of the largest victims of ransomware due to its vulnerability to the confidentiality and the critical nature of online patient records. It is imperative that all nursing facilities become proactive in preventing ransomware attacks to avoid data breaches which are reportable in terms of the Health Insurance Portability and Accountability Act (HIPAA). Nursing facility leaders and the Privacy Officer should be aware of the new tactics that are being used by malicious ransomware attacks and provide training to all staff with access to electronic medical records, email, or internet on best practices to prevent a ransomware attack. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 6, Data Integrity.
Discussion:
- Review your facility policies and procedures on cybersecurity. Ensure that policies are kept current based on best practices designed to prevent ransomware attacks.
- Train all appropriate staff on best practices to prevent ransomware attacks. Document that the trainings occurred and file in each employee’s education file. Provide additional training as new information becomes available.
- Periodically audit to ensure that staff are knowledgeable and utilizing best practices in preventing ransomware attacks.
