Data Breaches at CSI Laboratories and Christie Clinic; Scripps Health Issues More Notification Letters

Conti Ransomware Gang Says It is Responsible for CSI Laboratories Cyberattack

Cytometry Specialists, Inc. also known as CSI Laboratories in Alpharetta, GA, has just reported that it experienced a cyberattack that was uncovered on February 12, 2022. An investigation was started which established that files comprising some patient information were copied from its systems, which for the most part comprised patient names and case numbers employed for tagging patients. Nevertheless, addresses, birth dates, medical record numbers, and health insurance data were likewise included for a number of patients.

CSI Laboratories mentioned in its website notice that at this phase of the investigation there appears to be no sign of any misuse of patient records. Though CSI Laboratories didn’t make known the nature of the attack, the Conti ransomware group has professed responsibility for the cyberattack and has posted a sample of the stolen information on its data leak webpage. CSI Laboratories stated it has already re-established its system on the web and it is keeping track of its network carefully for abnormal activity. No statement was made concerning payment of any ransom demand.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach site, thus it is uncertain how many people were affected.

Email Account Breach Announced by Christie Clinic

Christie Business Holdings Company, P.C., dba Christie Clinic, has lately reported that is had a security incident regarding the email account of a worker. The firm’s breach notice didn’t state when the breach was uncovered, nonetheless, the forensic investigation affirmed on January 27, 2022, that an unauthorized person accessed the email account between July 14, 2021 and August 19, 2021.

Christie Clinic stated the reason for the attack seemed to be to intercept a business deal between the company and a third-party seller, instead of to get sensitive data from the email account, nevertheless, it was impossible to determine to what level emails inside the account were viewed. Christie Clinic mentioned the investigation affirmed that the breach just impacted one email account. No other parts or accounts were affected. On March 10, 2022, the assessment of information in the account showed that the emails involved protected health information (PHI) for instance names, Social Security numbers, addresses, health data, and medical insurance details. Notification letters were issued to impacted persons on March 24, 2022.

Christie Clinic claimed it currently employs industry-leading network security tools, conducts regular training on data security and privacy and has enforced supplemental safety measures.

Scripps Health Issues More Notification Letters Regarding 2021 Ransomware Attack

On June 1, 2021, Scripps Health based in San Diego informed the HHS’ Office for Civil Rights concerning a ransomware attack that resulted in the potential compromise of the PHI of 147,267 patients. Hackers had acquired access to its system from April 26, 2021 to May 1, 2021, and likely copied files made up of patient information. The attack ended in class action lawsuits and the healthcare company had lost over 113 million.

About a year after the breach of its network, a patient contacted NBC 7. The patient got a notification letter dated March 15, 2021, telling her about the potential compromise of her PHI in the attack, which includes her name, address, birth date, medical insurance data, patient account number, medical record number, and clinical data like diagnosis or treatment details. The patient did not get any notification regarding the ransomware attack before.

NBC 7 called Scripps Health, which affirmed that the manual document assessment just finished, and it was identified that more patient information was potentially breached in the attack, however, did not say how many more patients were impacted.