Add two more U.S. hospitals to the growing list of ransomware targets, plus one that has fallen victim to a lower-profile tactic, phishing.
Tuesday morning, we learned that Metropolitan Jewish Health System in Brooklyn, New York, has been hit by a phishing attack. As HIPAA Journal reported, an employee responded to a phishing email on Jan. 18, but the health system did not discover the breach until four days later.
With the Rise of AI, What IP Disputes in Healthcare Are Likely to Emerge?
Munck Wilson Mandala Partner Greg Howison shared his perspective on some of the legal ramifications around AI, IP, connected devices and the data they generate, in response to emailed questions.
In that time, records of 2,483 patients may have been compromised, according to HIPAA Journal.
This follows a “malware disruption” last week at Alvarado Hospital Medical Center in San Diego. The hospital is back online without having to pay a ransom, the San Diego Union Tribune reported.
(Alvarado is owned by Prime Healthcare; Prime hospitals in Victorville and Chino, California, suffered ransomware attacks last month.)
Similarly, Kings Daughters Health, Madison, Indiana, shut down its computers last Wednesday after one user’s computer got infected with the Locky ransomware virus, according to local news reports. Systems were mostly back online by Monday.
A Personalized Approach to Medication Nonadherence
At the Abarca Forward conference earlier this year, George Van Antwerp, managing director at Deloitte, discussed how social determinants of health and a personalized member experience can improve medication adherence and health outcomes.
In disclosing the phishing attack this week, Metropolitan Jewish Health System issued the following statement:
We conducted a thorough review of the employee’s email account and confirmed that the emails in that account contained information that may have included MJHS member and patient names, member numbers, diagnoses, treatment dates, and the facility where members were recently treated. MJHS continues to review other employees’ email accounts and will advise if any additional information, members, or patients are affected.
For now, the phishing appears to have been isolated to a single email account. Still, that is enough to cause a HIPAA violation, which may raise an important distinction between ransomware and other kinds of hacks.
In the case of ransomware, computers get locked down, but the cybercriminal often does not gain access to the data, including HIPAA-defined protected health information. Dan Munro noted this on Forbes last week.
If PHI isn’t compromised, hospitals don’t even need to report ransomware to the HHS Office for Civil Rights, said Rep. Ted Lieu (D-California). Lieu told InfoRisk Today that he is considering a legislative update to HIPAA.
“As ransomware attacks against hospitals become more frequent, it is critical for patients to know when their records are being held hostage and for the government to understand the scope of the problem. I am actively exploring legislation to achieve that transparency,” Lieu said.
Photo: Flickr user Pardee Ave.
