Incident Of The Week: May Eye Care And Health First Both Report Breaches Of Customer Information

Ransomware and Phishing Hit Healthcare Organizations



Esther Shein
11/16/2018

When it comes to data breaches, it’s been a bad time for healthcare organizations. On Thursday, Pennsylvania-based May Eye Care Center and Associates reported that 30,000 patient records were breached after it became a victim of a ransomware attack on July 29.

Also on Thursday, Florida-based Health First said it notified the Department of Health & Human Services in October of a data breach earlier this year that exposed the personal information of 42,000 patients, according to DataBreaches.net.

May Eye Care’s server was infected with ransomware that compromised its electronic health record system. The breach included patient names, dates of birth, addresses, medical diagnoses, treatment details, clinical notes and insurance information. Some patients’ social security numbers were also exposed, Health IT Security reported.

Officials hired a third-party forensics team to help investigate and contacted the FBI. May also hired an IT security firm to review and bolster its security systems and policies. The company said all patients included in the breached data have been notified.

“While we believe these attacks were targeted at our office for the purpose of obtaining monetary payments from May Eye Care, our primary concern is to make sure that patients have complete information and take all necessary precautions in the event that any personal information was compromised during this breach,” officials said in a letter to patients, according to DataBreaches.net.

The letter also said there is no evidence to suggest any patients’ protected health information has been directly accessed or used without their notification, DataBreaches.net said. The site said May did not pay any ransom for its data and was able to restore operations from backups without any data loss.

While the breach was added to the Office of Civil Rights breach reporting tool on Oct. 11, no explanation was given for why it took longer than the HIPAA-required 60 days to notify the public, Health IT Security noted.

In the case of Health First, a forensic review revealed “a small number of our employees were the victims of a phishing scam which compromised some of our customers’ information,” between February and May 2018, the site reported. “The criminals were able to gain access of these employees’ email accounts for a limited period of time.”

Once the breach was discovered, Health First officials blocked the unauthorized access and changed the email account passwords of the employees who were affected. The company said it is “initiating new security measures to prevent a similar event from happening again.” It is also offering an identity protection service to monitor the identities of impacted customers for a year for free.

Health First officials also told Florida Today this week that the data breach “was fairly low-level,” but it may have included some customers' Social Security numbers. “Mostly it appears to have involved information such as addresses and birth dates. No medical information was compromised,” according to the report.

RECOMMENDED