Chelan Douglas Health District based in East Wenatchee, WA, has announced that it encountered a cyberattack in July 2021 in which the personal data and protected health information (PHI) of patients was exfiltrated from its systems. The breach notice posted on Chelan Douglas Health District web page does not state when the breach was identified, but a third-party cybersecurity agency investigated the cyberattack and affirmed that unauthorized individuals accessed its network from July 2 to July 4, 2021. A representative for the health district stated this was not a ransomware attack.
The evaluation of the files that were exfiltrated from its systems was done on February 12, 2022, and established the theft of these types of patient information: Names, birth dates, dates of death, Social Security numbers, financial account data, treatment details, diagnosis data, medical record/ patient numbers, and health insurance policy details.
Issuance of notification letters to affected individuals started on March 15, 2022. Those who had their Social Security numbers compromised were provided complimentary credit monitoring services. Chelan Douglas Health District mentioned it did not know of any reports of identity fraud or misuse of patient information. Steps were already undertaken to strengthen the security of its systems to avoid further data breaches in the future.
The breach is not yet published on the HHS’ Office for Civil Rights portal, therefore it is currently uncertain exactly how many people were impacted. There were several reports in the press that indicate the PHI of around 109,000 persons had been stolen in the cyberattack.
Liberty of Oklahoma Corporation Reports BEC Attack
Oklahoma’s Department of Human Services and Liberty of Oklahoma Corporation (LOC) reported a business email compromise attack that happened in early December 2021 potentially resulted in access to patient information.
On December 7, 2022, a worker in the Oklahoma Waitlist program got an email from a spoofed email account that made an attempt to redirect payments that were due to LOC. The scam was discovered and so there were no fraudulent payments made, however, the investigation into the incident revealed the email account of a LOC worker had been exposed.
The email account was quickly disabled, and an assessment was performed to identify the types of records that were potentially accessed or stolen. The review established the exposure of names, Social Security numbers, addresses, dates of birth, phone numbers, Oklahoma client Numbers, and the contact data of representing persons.
LOC submitted the breach report to the HHS’ Office for Civil Rights indicating that 5,746 persons were impacted.
Security Breach at East Tennessee Children’s Hospital
East Tennessee Children’s Hospital is now investigating a security breach that happened on March 13, 2022, and resulted in disruption to its IT systems. A hospital spokesperson stated the incident didn’t affect the operations of the hospital to give care to patients and its internal teams and external agencies are working hard to reduce the interruption triggered by the incident.
A forensic investigation was started to figure out the nature and magnitude of the security incident, nevertheless, at this period of the investigation, it is not known whether any patient data was viewed or stolen.