Ransomware Attack on St. Joseph’s/Candler Impacts 1.4 Million Individuals

St. Joseph’s/Candler (SJ/C) hospital system located in Savannah, GA had been attacked by ransomware on June 17, 2021 at approximately 4 a.m. After becoming aware of the suspicious activity in its system, SJ/C quickly worked on keeping its systems separate and protected. Because of the attack, the computer systems were unavailable. Therefore, emergency measures were adopted. Staff had to employ pen and paper to record patient details.

SJ/C sent a security breach notification to law enforcement, which started an investigation. Third-party cybersecurity agencies helped SJ/C confirm that hackers at first acquired access to its systems on December 18, 2020 and had system access until June 17, 2021, at which time ransomware was deployed.

Shortly after the discovery of the attack, SJ/C announced that its facilities will not stop providing patient care operations and will use established backup processes and other downtime procedures. The physicians, nurses and personnel of the hospital are equipped with the proper training to provide care in these sorts of situations and are committed to doing whatever is needed to counter disruption and provide uninterrupted patient care.

While the breach investigation is in progress, it became known that the portions of the network accessed by the hackers contained records of patients’ protected health information (PHI). A complete audit of those records confirmed they contained patient information like names, birth dates, addresses, driver’s license numbers, financial details, Social Security numbers, billing account numbers, medical insurance plan member IDs, medical record numbers, patient account numbers, dates of service, names of provider, medical and clinical treatment details concerning care provided by SJ/C.

SJ/C has presently confirmed the possible breach of 1,400,000 patients’ PHI during the ransomware attack. Issuance of breach notification letters to impacted individuals commenced on August 10, 2021 and credit monitoring and identity theft protection services are offered at no cost. SJ/C also reported that it is enforcing extra safety procedures and technical security measures to further protect and manage its systems.

About Christine Garcia 1191 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA