A critical access hospital in Hallettsville, TX, Lavaca Medical Center, has started sending notifications to 48,705 patients regarding a security breach by which their protected health information (PHI) was exposed.
Lavaca Medical Center stated it discovered strange activity in its computer network on August 22, 2021, suggesting a possible cyberattack. The healthcare provider took immediate steps to protect its system and engaged a third-party computer forensics company to assist with the investigation. The forensic investigators affirmed unauthorized people got access to the network between August 17 and August 21.
Although there was no proof of data theft uncovered, the chance that patient information was viewed or exfiltrated couldn’t be ruled out. Breached systems contained information such as names, dates of birth, Social Security numbers, patient account numbers, and medical record numbers. The hackers were not able to access the electronic medical record system.
According to Lavaca Medical Center, it has no reason to believe any patient information was taken from its systems or misused; nevertheless, the HIPAA Breach Notification Rule requires the sending of notification letters to affected persons. As a preventative measure, impacted people were provided credit monitoring and identity theft protection services at no cost.
Network tracking tools were already improved and its systems will be routinely checked for unauthorized activity.
Malware Infection Discovered by Throckmorten County Memorial Hospital
Texas-based Throckmorten County Memorial Hospital has uncovered that unauthorized persons acquired access to sections of its computer system that held the personal records of 3,136 workers and patients.
An attack was discovered on September 7, 2021. There was an unauthorized access to systems and the installation of malware. According to the forensic team, its network was compromised on August 25, 2021, and systems access remained possible until September 7.
An audit of the impacted systems established they included patient data like first and last name, date of birth, address, gender, date(s) of service, diagnoses, current procedural terminology code, ailment, medicine, and particulars of hospital consultations. Worker data possibly compromised included name, salary history, Social Security number, payroll data, and filing details.
Throckmorten County Memorial Hospital mentioned affected people have been given a complimentary credit monitoring service membership and will be covered by identity theft and fraud insurance plan. Notifications concerning the security breach were overdue to give time for the removal of malware and improvement of security, as offering earlier notifications would make its system prone to other threat actors.