Posted on October 30, 2021 at 5:19 PM
Lavaca Medical Center, a healthcare facility based in Hallettsville, Texas, has reported a data breach on its systems. The report stated that 48,705 patients have been affected in this security breach where sensitive patient information was exposed.
Despite the hospital only revealing this breach now, details have shown that the breach on the computer systems was detected on August 22, 2021. The company’s IT team detected unusual activity on the computer systems during this time, which showed the potential of a cyberattack.
Breach on Hospital Systems
The hospital states that as soon as the breach was detected on the network, several measures were taken to ensure the network’s security. Moreover, the hospital engaged the services of a cyber-forensics firm that was responsible for conducting the investigations.
The investigations by the forensic team showed that there was evidence of unauthorized individuals gaining access to the hospital’s network between August 17 and August 21. However, the hospital states that there is no evidence that data was stolen during the breach.
However, given the sensitivity of patient data, it cannot be completely ruled out that this data from not viewed by the hackers or exfiltrated. The hospital states that some of the patient details that could have been affected during this breach include the patient’s names, dates of birth, social security numbers, patients’ account numbers, and medical records.
However, the report stated that the electronic medical records of patients were not affected during the breach. Lavaca Medical Center further added that there was no substantial reason to make them believe that patient data was taken out of its systems or misused by the hackers responsible for the breach.
However, the hospital has sent out notification letters to the individuals that have been affected during this breach. Sending out these notification letters is as per the requirements issued under the HIPAA Breach Notification Rule.
To ensure that the patients whose details were compromised during this breach are not affected further, the hospital has stated that these patients would be served with complimentary credit monitoring and identity theft protection services. The hospital has also stated that it is enhancing its network monitoring tools and conducting a regular system audit to detect any unauthorized activity.
Other Hospitals have also been Affected
Lavaca Medical Center is not the first hospital to be affected by a breach of its IT systems. Throckmorten County Memorial Hospital also uncovered a malware infection on its systems. The hospital stated that it had discovered instances where individuals gained access to the hospital’s computer network. The network that was breached contained information that belonged to over 3000 patients and employees.
The hospital stated that the system breach was first discovered on September 7, 2021. The breach involved the installation of malware into the systems and unauthorized access to the hospital’s systems. A forensic study into this breach showed that the breach first happened on August 25, 2021. However, the hackers were still able to access the network until September 7.
An outlook of the affected systems showed that the patient details that the threat actors gained access to include the first and last names, dates of birth, gender, date of medical service, the patient diagnoses, current procedural terminology code, the patient’s medical condition, the medications issued to the patients and the details of the patient’s hospital visits.
As aforementioned, employee data was also affected during this breach, and some of the details that were compromised include the names of the employees, wage/salary history, their social security number, payroll details and other filing details.
Just like in the case with the Lavaca Medical Center, Throckmorten County Memorial Hospital has stated that the patients and employees who have been affected by the breach will gain access to a complimentary membership to a credit monitoring service. The hospital further stated that the affected individuals would also receive protection under an identity theft and fraud insurance policy.
The hospital stated that it delayed giving details about this security breach to give time for the IT team to remove the malware and increase the security measures that will prevent such breaches in the future. The hospital stated that if it had issued a notification about this breach earlier, other threat actors would have rushed to take advantage of the exposed vulnerabilities.
Hospitals have been suffering great ordeals because of compromised systems. Over the last year, the number of cybersecurity attacks lodged on hospitals has been high, creating a tense situation for patients. Hospitals are being forced to invest more in advanced cybersecurity systems to reduce the chances of being attacked.