Data Breaches at Cancer Center of Hawaii and Zuckerberg San Francisco General Hospital

A ransomware attack on the Cancer Center of Hawaii in Oahu on November 5, 2019 led to the forced shut down of its network servers. It also resulted in the temporary inability to provide radiation treatment to people at Pali Momi Medical Center and St. Francis’ hospital in Liliha.

Though patient services experienced disruption, the center is convinced that the attackers had not accessed any patient data. The investigation of the breach still continues, but all data stored on the radiology machines had been retrieved and the network is already operational.

It is unknown how long the network was de-activated and information concerning the potentially compromised types of patient information is still unavailable.

The Cancer Center had notified the FBI concerning the breach. If the forensic investigators declare that hackers had gained access to patient data, the proper authorities will also be notified about the incident.

The breach merely affected the Cancer Center’s systems. The attack had not impacted St. Francis’ hospital and Pali Momi Medical Center since their patient records systems were separate from the Cancer Center.

Zuckerberg San Francisco General Hospital’s Improper Disposal Incident

Zuckerberg San Francisco General Hospital informed 1,174 patients about the improper disposal of meal tickets containing their protected health information (PHI).

The PHI printed on the meal tickets included the patients’ full names, their bed/unit in the hospital, birth month, dietary requirements, and their food selection. The proper method to dispose of the meal tickets is to put them in confidential garbage bins. Nonetheless, the tickets were accidentally disposed of along with common garbage.

The breach occurred because one staff didn’t know the need to shred the meal tickets. The San Francisco Department of Health learned about the improper disposal incident on November 15, 2019. The staff had thrown away meal tickets incorrectly from June 18 to November 4. After knowing about the breach, the staff was directed to adhere to the right procedures in sensitive information disposal.