The Southeastern Council on Alcoholism and Drug Dependence (SCADD) located in Lebanon, CT had a ransomware attack that caused considerable file encryption. SCADD experienced network problems that led to the discovery of the ransomware attack on February 18, 2019. The ransomware infection on SCADD’s systems that hold a number of patients’ protected health information (PHI) was confirmed by investigators.
Even if no evidence was uncovered indicating the attackers’ access to information with sensitive data, the forensic investigators are not able to exclude the likelihood of patient information access. Eventually, SCADD submitted a breach report to the HHS’ Office for Civil Rights and issued breach notification letters to impacted individuals. So far, there is no report suggesting the improper use of any patient PHI.
Patients were notified regarding the potential breach of their information which include their names, addresses, medical histories, treatment specifics, and Social Security numbers. All impacted individuals received offers of free credit monitoring and identity theft protection services. The breach summary on OCR’s web portal indicated that up to 25,148 patients were impacted.
Independent Health located in Amherst, MA found out that files containing the PHI of 7,600 health plan members were unintentionally emailed by an employee to an Independent Health member on March 19, 2019. That recipient of the information contacted Independent Health one hour after getting the email, reported the privacy breach and gave assurance that the email message and files were deleted.
The health plan members’ information that were potentially compromised include their members’ ID numbers, service dates, providers seen, claim payment information, claim numbers, and medical treatment codes. Though there was no Social Security number or financial information compromised and it is believed that the risk of identity theft or fraud is low, Independent Health provided all affected plan members a year of no cost identity theft protection and credit monitoring services. The erring health plan employee faced disciplinary actions as stated in Independent Health’s policy.