From small community hospitals like Memorial Hospital and Manor in Bainbridge, Georgia, to the largest providers, ransomware, business email compromise and other cyber threats are causing daily care disruption in the United States. 

“America is now averaging two health system data breaches per day,” Greg Garcia, executive director of the Health Sector Coordinating Council Cybersecurity Working Group, said in his opening keynote at the HIMSS Healthcare Cybersecurity Forum last week in Washington, D.C.

Cyber threat actors often take advantage of basic vulnerabilities, targeting people who work for hospitals and health systems. Case in point – the large health system Kaiser Permanente said Sunday that it sent a notice to affected individuals in Southern California whose personal health data was compromised when an unauthorized party accessed two employee email accounts.

But they can also be savvy with their exploits, employing phishing attacks bolstered by sophisticated social engineering. Earlier this month, a cyber exploit resulted in the exfiltration of patient data associated with 1.8 million individuals from Colorado-based independent pathology service provider Summit Pathology.

Georgia hospital loses EHR access

Memorial Hospital and Manor, a community hospital in Decatur County Georgia, told its followers on Facebook Sunday that a ransomware attack has impacted its electronic health records and that patients may encounter care delays.

The attack was discovered over the weekend after team members noticed virus protection alerts, the hospital said in the post.

"Please bear with us as you may experience longer wait times when you come to either the hospital or physician offices as we are working on a paper-based process," Memorial Hospital and Manor said.

No information about the attack is currently available on the hospital's website, though the hospital said it is evaluating what it needs to do to restore access to its patient records, according to a report by local WALB News. 

Healthcare IT News reached out to the hospital for a statement, and if one becomes available, we will update this story. 

Kaiser reports patient data breach

On Friday, the health system posted a notice for its Southern California members about a health information privacy matter discovered on September 3. The unauthorized party gained access to the email accounts of two workforce members, according to the notice posted on its website.

"Upon learning of the incident, we terminated the unauthorized access and immediately began an investigation to determine the scope of the access," Kaiser Permanente said.

"After validating the email contents, we determined that some patients’ protected health information was involved."

While the health system said that Social Security numbers and financial information were not involved, protected health information including first and last names, dates of birth, medical record numbers, and medical information were "potentially accessed and/or viewed."

While health system operations were maintained, affected individuals were contacted directly, Kaiser Permanente said.

Attack on lab services affects patients

On October 18, Summit Pathology of Loveland, Colorado, reported to the U.S. Health and Human Services that 1,813,538, had their data breached in a hacking incident.

"The impacted systems contained demographic and healthcare information which includes names, addresses, medical billing and insurance information, certain medical information such as diagnoses, and demographic information such as dates of birth, Social Security numbers and financial information," the pathology services company said in a notice on its website.

On or around April 18, Summit said it had identified suspicious activity on its network and immediately took steps to secure it, launching an investigation with the assistance of third-party forensic specialists. They were able to identify which files "may have been accessed or acquired by the unauthorized cybercriminal."

Summit also said that after a review of its policies and procedures, it added new "administrative and technical safeguards to help prevent future attacks." 

The Oklahoma City-based Murphy Law Firm said in an October 31 statement that it is establishing a class action lawsuit and investigating claims related to the incident.

Summit's forensic investigation "determined that cybercriminals infiltrated its inadequately secured computer environment and thereby gained access to its data files," the law firm said.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.