Health Data Hacking Incident Affects 400,000Columbia Surgical Specialists of Spokane Reports Breach
This story has been updated.
A surgery practice in Washington state has reported a hacking incident that resulted in a breach affecting 400,000 individuals, the largest added to the federal health data breach tally so far in 2019.
Columbia Surgical Specialists of Spokane reported the breach to the Department of Health and Human Services' Office for Civil Rights, which now lists it on its HIPAA Breach Reporting Tool website of major health data breaches affecting 500 or more individuals.
The incident is described on the tally as involving a network server. No notification about the incident appeared on the practice's website as of midday Tuesday.
A Columbia Surgical Specialists information systems manager tells Information Security Media Group that the hacking incident involved a ransomware attack on Jan. 7. The practice worked with a security firm to unlock its systems and recover its data without paying a ransom within a few days of the attack. Some of the impacted patient files are more than 20 years old, and the practice is still assessing how to notify various individuals, the manager says.
Rush University Medical Center Incident
In another newly reported health data breach, Rush University Medical Center in Chicago on Monday revealed that it learned on Jan. 22 that an employee of one of a third-party financial services vendors improperly disclosed a file containing certain patient information to an unauthorized party.
"We believe this disclosure occurred in May 2018. Law enforcement and regulatory officials have been notified. Based on our internal review, we believe this file included limited personal information relating to certain Rush patients," Rush says in a statement posted on its website.
A Rush spokeswoman tells Information Security Media Group that the incident involved a claims processing vendor's employee and potentially exposed data on 45,000 individuals.
Although the shared information varies by individual, potentially compromised information includes name, address, date of birth, and insurance information, Rush says.
"During our investigation, we did not find any evidence of any unauthorized access to any of Rush's internal computer systems or network," the organization says in its statement.
Rush has notified law enforcement and regulatory officials. As of Tuesday, the incident was not yet posted to the HHS breach tally website.
The Chicago medical center has offered the patients affected 12 months of prepaid identity protection services. Rush says it's launched an internal investigation, suspended the contract with the claims processing vendor and is reviewing contracting processes and vendor oversight.
Other Recent Breaches
The incidents at Rush and Columbia Surgical Specialists are among the largest health breaches reported in recent weeks.
The largest health data breach revealed so far this year, but not yet added to the federal tally as of midday Tuesday, affected University of Washington Medicine. UW Medicine in a Feb 20 statement said a misconfigured database left patient data exposed on the internet for several weeks last December, resulting in a breach affecting 974,000 individuals.
In another major incident, UConn Health recently reported to HHS a phishing-related breach impacting 326,000 individuals.
On Feb. 20, Vermont-based Rutland Regional Medical Center reported an email-related breach affecting more than 72,200 individuals. And on Feb. 11, Kentucky Counseling Center in Louisville reported an unauthorized disclosure/access breach involving an insider that affected 16,440 (see Spotting Insider Breaches: Employees Can Help).