Breach, Ransomware, Incident Response

Third-party vendor Morley reports data theft impacting 521K individuals

HHS OCR (Sarah Stierch/CC BY 4.0).

Morley recently reported a security incident from August 2021 that led to the theft of data tied to 521,046 clients and former and current employees. The third-party vendor provides a range of services in the U.S., including those for the healthcare sector. The incident is the second-largest healthcare data breach reported in 2022, so far.

On Aug. 1, Morley discovered its data was unavailable and took steps to secure its environment. The investigation determined “additional data may have been obtained from its digital environment.”

The notice appears to explain the near five-month delay in reporting the incident, as a result of collecting the contact information needed to notify impacted individuals. It’s a notable distinction as The Health Insurance Portability and Accountability Act requires covered entities and relevant business associates to notify impacted individuals of health data compromises within 60 days of discovery. A public notice has proven effective when contact details are unknown for the impacted parties.

Both personal and protected health information were among the exfiltrated data, which could include names, contact information, Social Security numbers, dates of birth, client identification numbers, diagnostic and treatment information, and health insurance details.

Morley is providing individuals whose SSNs were affected access to free credit monitoring and identity theft protection services. The vendor has since “made alterations to its cyber environment” to prevent a recurrence.

One month after attack, Taylor Regional still working to recover

The network systems and phone lines of Taylor Regional Hospital remain offline, as it works to recover from a cyberattack that struck one month ago. As previously reported, the Kentucky hospital took its systems offline as a precaution on Jan. 24 after discovering the intrusion. 

The hospital and its connected providers have been operating under electronic health record downtime procedures as it investigates the incident. Temporary phone lines were set up to maintain care operations.

One month later, and patients are still being urged to bring current medications to their appointments and to expect longer than normal wait times. The hospital also remains unable to schedule COVID-19 testing. Instead, patients must visit its walk-in clinic on a first-come, first-serve basis. All patients must bring a written order to receive lab services.

“Patients who are receiving lab draws for outpatient procedures should expect longer than normal wait times. We appreciate your patience as our staff work diligently to meet everyone's needs,” officials explained in its ongoing, urgent notice to patients.

The investigation is ongoing, and Taylor Regional has not provided further details into the attack on its social media. But its website still posts an urgent notice informing patients that all phone lines at its hospital and hospital-owned provider offices remain down amid the investigation.

Minimally Invasive Surgery of Hawaii reports breach from 2021

Orthopedic Associates of Hawaii, All Access Ortho and Specialty Suites d/b/a Minimally Invasive Surgery of Hawaii, have notified an undisclosed number of patients of a ransomware incident that led to the theft of their personal and health information one year ago.

Again, HIPAA requires covered entities to report data breaches within 60 days of discovery, not at the close of an investigation. Notably, the provider’s notice states the investigation concluded in April 2021, 10 months ago.

The provider first discovered the ransomware attack and the encryption of their computer systems on Feb. 19, 2021. The incident prompted a number of recovery efforts to “quickly restore access to the patient information” to maintain patient care without disruption.

The investigation found the attacker first gained access to the network systems for a week, beginning on Feb. 12, 2021. During the access, the actor accessed and exfiltrated “limited data” from its systems. The data could include names, contact, driver’s licenses, health insurance data, medical data, treatments, diagnoses, and financial accounts and payment cards.

For a subset of patients, SSNs were potentially involved. The provider has since reviewed its existing policies and procedures and added to its administrative and technical safeguards.

Jackson County Hospital reports data theft

An undisclosed number of patients of Jackson County Hospital District in Florida are being notified that their data was accessed and potentially exfiltrated after what appears to be a ransomware attack.

Unusual activity tied to “the inaccessibility of certain systems” was detected on Jan. 9, prompting officials to take steps “to contain the threat and enable hospital operations, including services to patients, to continue uninterrupted.”

The hospital determined several of its systems were likely subjected to unauthorized access. In addition, the attacker accessed Jackson Hospital’s systems and took certain data. 

The investigation is ongoing. But officials have determined the compromised data involves both personal and medical information, including names, SSNs, contact details, dates of birth, medical history, conditions or treatments, medical record numbers, diagnosis codes, patient account numbers, Medicare or Medicaid numbers, financial account details, and credentials.

Jackson Hospital has been working with third-party specialists to assess the state of its security on relevant systems and to reduce the risk of a recurrent event. The hospital is currently reviewing existing policies and procedures and plans to enhance its administrative and technical safeguards.

Charlotte Radiology reports systems’ hack, patient data theft

An undisclosed number of Charlotte Radiology patients were recently informed that their data was stolen, during a week-long hack of the specialist’s network in December.

Discovered on Christmas Eve, the incident affected systems containing patient information. The notice explained the incident was contained within days, when they could “resume serving patients.” The details seem to imply it was a ransomware incident that led to potential disruption in operations.

The investigation found the attacker had access to the impacted systems between Dec. 17 and Dec. 24, 2021, stealing copies of documents stored on the system. The exfiltrated data contained information that varied by patient, such as medical record numbers, health insurance details, contact information, provider names, dates of birth, diagnoses, and treatments.

“For a very limited number of patients”, SSNs were also included in the stolen document. Those individuals will receive free credit monitoring.

Additional patients added to Scripps Health breach tally

Scripps Health is continuing to deal with the aftermath of its May 2021 cyberattack. Its latest update shows the California health system recently notified additional patients that their data was included in the information compromised by the security incident that led to the theft of certain data tied to more than 150,000 patients.

The latest update shows Scripps’ continued investigation and document review found additional patients were affected by the incident, “whose information was contained in the documents reviewed that were involved in the incident.” The data could include names, SSNs, contacts, financial account details, medical information, and other sensitive data.

As previously reported, Scripps was hit with a ransomware attack last year, which led to over four weeks of electronic health record (EHR) downtime procedures and the theft of patient data. The cyberattack affected its network, website and patient portal, resulting in the security team taking the platforms offline.

Scripps launched its emergency care diversion protocols for trauma, heart attack and stroke patients, who were diverted to nearby hospitals. All four Scripps hospitals were impacted, as were its backup servers in Arizona and access to medical images and telemetry data was lost. Clinicians relied on downtime procedures with the use of pen and paper for patient care.

The health system is currently facing multiple lawsuits after the incident that has led to more than $112.7 million in estimated revenue loss and incremental expenses.

Priority Health reports actor accessed its Member Rewards Program

An unauthorized actor gained access to certain Priority Health Member Rewards Program (PHMP) accounts and viewed both personal and protected health information of an undisclosed number of individuals in December.

The subsequent investigation into the cybersecurity incident confirmed the actor gained access to the accounts several weeks before it was discovered, with the hack occurring between Nov. 24, 2021, and Dec. 16, 2021. Officials could not confirm whether or not the information was read.

Investigators found the attacker was able to view the information contained in the compromised PHMP accounts, which included names, dates of birth, claims data, insurance details, some medical information, and contact details. Officials found no evidence that SSNs were accessed. All affected individuals will receive two years of free credit monitoring.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.