Potential PHI Breaches at Capital Region Medical Center and Labette Health

Capital Region Medical Center (CRMC) based in Jefferson City, MO has lately confirmed that unauthorized individuals accessed patient information in a cyberattack last December 2021 that resulted in the shutdown of its network and phone systems for several days.

The cyberattack was identified on December 17, 2021 because of a disruption in its internet systems. An investigation was begun to know the nature and scope of the breach. A public announcement regarding the security incident was published on December 23, 2021. It was unclear at first if patient data was compromised however that is already confirmed now.

CRMC stated at this period of the investigation it does not seem that the attackers acquired access to its electronic medical record database; nonetheless, the files accessed or possibly accessed by the hackers contained information such as patient names, birth dates, addresses, medical data, and health insurance data. A portion of patients additionally had their driver’s license numbers, financial account data and/or Social Security numbers exposed. That part of patients was provided a complimentary one-year membership to credit monitoring services. CRMC mentioned there was no evidence found thus far that indicates the misuse of any patient information.

CRMC mentioned it will still assess its security policies and will consider opportunities to apply extra cybersecurity procedures to strengthen security and stop the same cyberattacks later on.

The incident is not yet posted on the HHS’ Office for Civil Rights breach portal, therefore it is currently not clear how many people were affected.

Labette Health Informs Patients Concerning October 2021 Cyberattack

Labette Health located in Kansas has just announced that unauthorized persons accessed its IT systems from October 15, 2021 to October 24, 2021.

Labette Health stated that it took prompt steps to safeguard its network and restrict the potential for more harm. Third-party cybersecurity professionals were hired to investigate the security breach and find out the nature and extent of the attack. The investigation determined on February 11, 2022, that certain files and folders located on its network that included patients’ protected health information (PHI) were accessed by unauthorized persons, who may have exfiltrated a number of those files.

The files comprised employee and patient names and one or more of these types of data: medical treatment and diagnosis details, treatment expenses, dates of service, prescription details, Medicaid or Medicare number, health insurance information, and Social Security number.

It has been four months since the occurrence of the breach, and thus far, Labette Health hasn’t identified any proof of misuse of patient or worker data. Labette Health mentioned on March 11, 2022, written notifications were sent to impacted persons as a safety precaution. Those whose Social Security numbers were compromised received free credit monitoring services.

Labette Health stated it implemented the recommendations of cybersecurity experts and has fortified network security, applied stronger password security policies and multi-factor authentication for system access, and has improved endpoint detection software and offered supplemental network security and threat detection instruction to the employees.

The data breach is not yet published on the HHS’ Office for Civil Rights breach website thus it is presently uncertain how many people were affected.