Cybersecurity Attacks on Southeastern Minnesota Oral & Maxillofacial Surgery and Healthcare Administrative Partners

Southeastern Minnesota Oral & Maxillofacial Surgery (SEMOMS) reported a ransomware attack that resulted in the potential compromise of the protected health information (PHI) of approximately 80,000 patients.

The attack was discovered on September 23, 2019. The IT staff responded and singled out the affected server and took steps to recover the encrypted data. It is uncertain whether SEMOMS paid the ransom or if the IT crew had restored the server from backups.

With the help of computer forensics specialists, SEMOMS established that the affected server included names and X-ray pictures and that an unauthorized individual accessed the server. No proof was found to show the attackers accessed or exfiltrated patient information, but it cannot be ruled out that there was unauthorized ePHI access and theft of data. As a result, notification letters were sent to all individuals whose protected health information was possibly compromised.

Phishing Attack on Healthcare Administrative Partners Affected 17,693 Patients

Healthcare Administrative Partners (HAP), a company offering medical billing and coding services to healthcare organizations in Media, PA, reported that an unauthorized person accessed the email account of an employee after responding to a phishing email.

HAP became aware of the phishing attack on June 26, 2019 upon noticing suspicious activity in the email account of an employee. It was confirmed on September 26, 2019 that the email account contained the PHI of some clients.

A third-party computer forensics company investigated the breach, but found no clear information yet if the email messages and attachments with ePHI had been accessed. Its probability cannot be eliminated.

The account comprised patient information such as names, addresses, birth dates, medical record numbers, doctors’ names, prescription medications, health diagnoses, and limited treatment data. HAP sent notification letters to all impacted companies on October 4, 2019.

HAP also took the necessary steps to enhance email security including the resetting of email passwords, labeling of all external emails as external, training of employees on extra security awareness, and implementing mailbox size limitations and email archiving to minimize the exposure of data in case of more attack. HAP is additionally examining multi-factor authentication alternatives.