PHI Potentially Exposed Due to Cyberattacks on Nebraska Medicine and Hackley Community Care

Nebraska Medicine has commenced sending notifications to around 219,000 patients concerning an unauthorized person that
potentially accessed patient data as a result of a malware attack.

On September 20, 2020, Nebraska Medicine found out that parts of its systems had strange activity. The firm singled out the infected devices to restrict the impact of the breach. The affected systems were shut down to prevent continuing unauthorized access. Third-party computer forensics experts helped in the investigation and determine the nature and magnitude of the data breach.

Based on the investigation results, an unauthorized individual first acquired system access on August 27, 2020 and corrupted it with malware. The unauthorized individual copied a number of files, with some containing patient data from August 27 up to September 20.

The compromised files belonged to patients who got medical services from the Nebraska Medical Center or University of Nebraska Medical Center. A number of patients received medical services from Faith Regional Health Services, Great Plains Health, or Mary Lanning Healthcare.

The attackers got access to protected health information (PHI) such as one of the following data: Name, address, birth date, medical record number, medical insurance details, doctor’s notes, laboratory test data, imaging, diagnosis information, treatment information, and/or doctor-prescribed drugs information. Some patients’ driver’s license numbers and Social Security numbers were likewise potentially compromised.

Nebraska Medicine mailed notification letters to the affected individuals regarding the breach on February 5, 2021. The individuals who had their Social Security or driver’s license numbers exposed at the same time got credit monitoring and identity theft protection services for free. The provider’s IT environment is still under monitoring for potential breaches. It additionally improved its network monitoring solutions.

Phishing Attack Impacts 2,500 Hackley Community Care Patients

Hackley Community Care located in Muskegon, MI is informing about 2,500 patients concerning unauthorized persons
getting potential access to some of their PHI.

In September 2020, a number of employees had received a phishing email in their inbox. One employee clicked a hyperlink to a malicious site and keyed in his/her login credentials that the attacker snagged and used to access the email account of the employee remotely between September 7 and September 24, 2020.

The breach investigation affirmed the compromise of only one email account. There is no evidence identified that indicates the unauthorized persons opened any emails in the breached account. After the review of the compromised email account was completed on December 18, 2020, Hackley Community Care informed all people that were impacted by the incident.

Most of the affected individuals only had their names and addresses compromised. Individuals who had more sensitive data affected were given TransUnion credit monitoring services for free. Hackley Community Care is reinforcing its security procedures to prevent the occurrence of similar incidents later on.