Point32Health Ransomware Attack, MU Health Care Employee HIPAA Violation and New Study on the Impact of Cyberattacks

Theft of Harvard Pilgrim Health Care Member Data During Ransomware Attack

Point32Health, the second-biggest health insurance company in Massachusetts, reported in April 2023 that it encountered a ransomware attack that triggered system breakdowns, which include the systems that maintained the accounts of members, providers, and brokers. The company detected the attack on April 17 and immediately took its systems offline to control the breach. However, during the announcement, it was not clear to what degree, if any, protected health information (PHI) was exposed.

Point32Health has given additional information about the incident and stated that theft of the PHI of present and past members of Harvard Pilgrim Health Care plans was likely during the attack. Point32Health stated that the forensic investigation affirmed the systems breach on March 28, 2023. The attackers got access to its systems until the security breach was uncovered on April 17, 2023. The attackers extracted files from its systems that included the following personal data and PHI: names, physical addresses, telephone numbers, birth dates, medical insurance account data, provider taxpayer ID numbers, clinical data, and Social Security numbers.

Point32Health stated that certain affected systems, such as those employed to service members, providers, and brokers, stayed offline, which include the systems that service Medicare Advantage Stride℠ plans (HMO)/(HMO-POS) and Harvard Pilgrim Health Care Commercial. Point32Health engaged third-party cybersecurity specialists and will restore those systems online in a few weeks. Director of Public Relations, Kathleen Makela stated that after completing the internal IT and business validations, together with the comprehensive security tests, certain processes will be accessible in a phased manner.

Point32Health explained that it has evaluated and improved its user access standards, upgraded vulnerability scanning, determined prioritized IT security enhancements, put in place a new Endpoint Detection and Response (EDR) security method, and conducted a password reset for all admin accounts.

There is evidence found that suggests the PHI of present and past health plan subscribers along with their dependents were compromised. However, there is no report received thus far that indicates any misuse of the impacted data. As a safety measure against identity theft and fraud, impacted persons are being provided free credit monitoring and identity theft protection services.

Point32Health as well as its subsidiaries have over 2 million clients in New England, nevertheless, it is uncertain how many of them were impacted.

MU Health Care Employee Violates HIPAA

MU Health Care based in Columbia, MU found out that an employee viewed the health records of 736 patients with no valid work reason. It discovered the unauthorized access in March 2023 and as per the internal investigation, the employee accessed patient records from July 2021 to March 2023.

The types of data that were potentially accessed included names, birth dates, medical record numbers, and clinical and treatment data like diagnoses and procedure details. A representative of MU Health Care stated the person involved had undergone internal disciplinary procedures and no report was received regarding the misuse or further exposure of any of the compromised data. MU Health Care sent notification letters to all impacted persons.

Cyberattacks on Hospitals Disrupted Neighboring Healthcare Facilities

A new study has revealed that healthcare cyberattacks are not just disruptive to the hospital that encounters an attack. The emergency departments at nearby hospitals, where patients have to wait longer because there are more patients that overload the resources.

The study was about a retroactive evaluation of two academic emergency departments managed by a San Diego healthcare delivery organization (HDO), which were located in the area of an HDO that encountered a ransomware attack. The researchers took note of the volume of adult and pediatric patients, emergency healthcare services diversion information, and emergency department stroke care metrics for a month before the attack, at the time of the attack, and a month after the attack.

The ransomware attack observed happened on May 1, 2021, and impacted an HDO that manages 19 outpatient facilities, 4 acute care hospitals, and over 1,300 acute inpatient beds. The attack blocked access to imaging systems and electronic medical records and impacted the HDO’s telehealth functions. Staff were compelled to work with pen and paper to write patient data. Emergency traffic was rerouted to other facilities. The attack resulted in disruption for one month, and about 150,000 patient records were affected.

When one hospital suffers an attack, neighboring hospitals usually see an increase in patient numbers. The greater volume of patients and limitations of resources affect time-sensitive care for medical conditions like acute stroke. The researchers saw substantial disruptions to medical services at the nearby healthcare facilities, even if they were not directly targeted or attacked by the ransomware. When compared with the time prior to the attack, the daily mean emergency department census increased by 15.1%; mean ambulance arrivals increased by 35.2%; mean admissions increased by 6.7%; patients going away without being seen increased by 127.8; visits, where patients went away against medical advice, increased by 50.4%; and median waiting room times increased by 47.6%.

The researchers selected acute stroke care to be an example of a resource-intensive, time-sensitive, technologically reliant, and possibly lifesaving set of complicated actions and choices, that needed a quickly accessible multidisciplinary team that is working together. The researchers noticed that stroke code activations increased by 74.6% and confirmed strokes when compared with the pre-attack period increased by 113.6%.

Because a ransomware attack on a hospital affects other non-targeted medical facilities, the researchers propose that ransomware along with other cyberattacks must be categorized as regional disasters. The researchers did not report any significant treatment times variation in door-to-CT scans or acute stroke. However, they say the disruptions caused by ransomware attacks can quickly result in undesirable patient outcomes. These research results support the requirement for

  • synchronized regional cyber disaster planning
  • more research on the possible patient care effects of cyberattacks
  • continuing work to develop technical health care programs resistant to cyberattacks

Christian Dameff, MD, MS, Theodore C. Chan MD, and Jeffrey Tully, MD conducted the study entitled “Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US.” It was published in JAMA Open Network.

About Christine Garcia 1192 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA