Ransomware attack on a US Drug Rehabilitation Center impacted 25,148 patients

The PHI (Protected Health Information) of over 25,000 US healthcare patients might have been compromised after a ransomware attack on a US drug rehab center.

The SCADD (Southeastern Council on Alcoholism and Drug Dependence), an addiction treatment facility in US State of Connecticut, said that they had discovered some disruptions in their network on Feb. 18, 2019.

As per a security advisory that was issued by the drug rehab center "SCADD immediately began an investigation to determine the nature and scope of the event. This investigation included working with third-party forensic experts".

The investigation confirmed that ransomware was installed on SCADD systems, a few of which contained protected health information of patients. Once systems of SCADD were secured, then the investigators focused to determine the type of information that was possibly impacted, to whom this information is related, as well as valid address information of those individuals so as to notify them about this incident. Although no evidence was found that will suggest the attackers have accessed the files containing Protected Health Information, third-party forensic investigators have not been able to rule out the patient data access.

With the help of this ongoing investigation, the SCADD determined that information possibly impacted by this incident might include the affected individuals' name, Social Security number, address, as well as treatment and medical history information. Till now, no reports were received that will suggest any kind of patient information was misused due to this incident.

25,148 patients' personal information was impacted due to this incident, as per the filing made to US Department of Health and Human Services' Office for Civil Rights (OCR) - agency responsible for enforcing the data protection law of US healthcare.

Southeastern Council on Alcoholism and Drug Dependence said that it is currently notifying all the patients whose information has been present on affected systems. As a precautionary measure, the organization has been offering all the impacted patients 12 months of free identity theft protection and credit monitoring services. "The confidentiality, privacy, and security of information is one of SCADD's highest priorities and the organization takes this matter seriously," it said.

» SPAMfighter News - 5/29/2019