Data Breaches Reported by Ascension, Prudential Insurance Company of America and West Idaho Orthopedics and Sports Medicine

Investigation Of Ascension Cyberattack

Ascension, a leading non-profit and Catholic health system in the U.S., has reported the investigation of a supposed cyberattack that has disturbed medical operations. As a safety measure, business associates were told to disconnect from its systems. The Google-managed cybersecurity organization Mandiant helped with the inquiry and remediation work, and the proper authorities were alerted concerning the alleged cyberattack.

Ascension enforced its incident response practices when abnormal activity was discovered in sections of its systems and is now determining the consequence and time frame of the interruption. That procedure has needed to take selected systems offline. Guidelines and processes have been made and personnel trained on delivering care without the use of IT systems and steps were undertaken to minimize the impact on patients and make certain that patient care is safely given. As a preventative measure, a few Ascension hospitals have redirected rescue ambulances to other services.

Ascension runs 40 senior living facilities, 142 hospitals, and over 2,600 care centers in the District of Columbia and 19 states. It is presently not clear how many facilities have been affected, though there were news reports revealing that hospitals in many states are encountering disruption, with staff stating that charting, appointment, and prescription writing systems have been impacted.

Ascension stated the strange activity was noticed within its network on May 8, 2024, and gave an overview of its actions prompted by the suspected cyberattack. Nonetheless, few information regarding the attack has been provided thus far, for instance, whether the incident involved ransomware. At this early period of the investigation, it is uncertain to what level, if any, patient records have been compromised. A representative for Ascension mentioned patients will be advised in case it is ascertained that sensitive patient files have been exposed and more data concerning the incident and effect will be revealed as the investigation moves along.

36,000 Individuals Affected by Prudential Insurance Company of America Ransomware Attack

The Prudential Insurance Company of America has sent a breach report to the HHS’ Office for Civil Rights and State Attorneys General indicating that the personal data and protected health information (PHI) of 36,092 persons were affected. In February, the incident report was initially filed with the Securities and Exchange Commission (SEC) as a hacking incident that allowed access to administrative user files and accounts of the employee and contractor. The attack happened on February 4 and was discovered the next day.

Third-party cybersecurity experts helped with the investigation and confirmed that a small proportion of files were extracted from its system. Prudential stated the files contained names, driver’s license numbers, non-driver ID numbers, and addresses. Prudential has affirmed that the attacker doesn’t have access to the system anymore. Access settings and security procedures are being improved, and extra monitoring systems are being applied. The impacted persons are being informed by mail as required by HIPAA, and are provided free credit monitoring and identity theft protection services.

The Blackcat ransomware group said it is responsible for the cyberattack and included Prudential on its data leak website. The Blackcat group was also behind the cyberattack on Change Healthcare. In that incident, the group did not delete the stolen data even after giving the ransom payment.

Ransomware Attack on West Idaho Orthopedics and Sports Medicine

West Idaho Orthopedics and Sports Medicine, which manages orthopedic centers in Caldwell, Fruitland, and Meridian, ID, has reported encountering a ransomware attack in March. The attack was discovered on March 15, 2024, and systems were secured to stop more unauthorized access. The internal investigation revealed that the attackers extracted files from its system before deploying ransomware, and those files potentially included patient files.

The analysis of those files showed that names, birth dates, addresses, phone numbers, health data, email addresses, and insurance details were potentially stolen. The breach affected around 5,000 patients. The attack was reported to law enforcement and government bodies, and the impacted people are being alerted through mail. West Idaho Orthopedics and Sports Medicine stated it is improving its security to stop the same occurrences later.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone