PHI Compromised in Cyberattacks on Columbia River Mental Health Services and Methodist McKinny Hospital

Methodist McKinny Hospital located in Texas has lately reported that unauthorized individuals accessed its systems and extracted files that contain sensitive information from its systems. The hospital detected the security breach on July 5, 2022, and a third-party cybersecurity company investigated the nature and extent of the breach. The investigation revealed that the attackers accessed its systems from May 20, 2022 to July 7, 2022, and at that time, they exfiltrated files with patient information. The initial investigation has affirmed that the files included names, Social Security numbers, addresses, dates of birth, medical history data, medical diagnosis details, treatment data, medical record numbers, and medical insurance details.

The security breach investigation is in progress and a comprehensive review of all impacted files was started to find out the patients impacted. It was confirmed that the breach impacted patients of Methodist Allen Surgical Center, Methodist McKinney Hospital, and Methodist Craig Ranch Surgical Center. The hospital will send notifications to impacted patients sooner or later. It is presently uncertain how many persons were impacted.

Methodist McKinny Hospital’s substitute breach notification didn’t reveal the nature of the cyberattack, however, it seems to have been a ransomware attack. The Methodist McKinny Hospital is listed on the Karakurt ransomware gang’s data leak site as a pre-release and states that 367 GB of information was extracted during the attack.

Employee Email Accounts Breach at Columbia River Mental Health Services

Columbia River Mental Health Services has lately informed the HHS’ Office for Civil Rights concerning a security breach that involves some employee email accounts. Based on the breach notification, the provider detected suspicious activity in a number of email accounts. Third-party forensics specialists were involved to look into the breach. As per the investigation, unauthorized individuals accessed the email accounts from May 14, 2021 to April 8, 2022.

On July 6, 2022, the analysis of the impacted accounts confirmed that they contained the protected health information (PHI) of patients. The evaluation of the data in the accounts is in progress. Breach notification letters will be mailed to impacted persons as soon as the review is concluded. The breach report submitted to the HHS’ Office for Civil Rights indicated that ‘501’ persons were impacted to meet the last day for submitting the incident report. The breach total is going to be updated upon confirmation of the number of impacted persons.