Breach Notification , Healthcare , HIPAA/HITECH
Florida Hospital Begins Breach Notification Post-AttackTallahassee Memorial Says Patient Data 'Obtained' in February Security Incident
A Florida-based community healthcare system has begun notifying about 20,000 individuals whose information was compromised in a data security incident that prompted the organization to operate under its IT downtime procedures, including diverting some emergency patients, for two weeks in February.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Tallahassee Memorial HealthCare says its investigation into the February incident determined that an "unauthorized person" had gained access to its computer network and obtained certain files from its systems between Jan. 26 and Feb. 2.
Affected information includes names, addresses, birthdates, Social Security numbers, health insurance information, medical record numbers, patient account numbers and some treatment information related to care received at TMH.
No financial account or payment card information was affected and TMH's electronic medical records were not involved in the compromise, the organization says.
TMH is a private, nonprofit entity that operates about 25 facilities serving patients in 17 counties of North Florida and South Georgia, including a psychiatric hospital, specialty care clinics and a 772-bed acute care hospital.
The organization says it first detected "unusual activity" involving its computer systems on Feb. 3, prompting it to operate under its "IT system downtime protocols" for about two weeks. During that time, TMH resorted to using paper documentation instead of electronic health records, diverted some emergency patients to other facilities, and canceled or postponed nonemergency surgical and outpatient procedures.
So far, TMH has not publicly confirmed if the episode involved ransomware, but it says it has worked with law enforcement and state and federal agencies to manage the investigation and recovery from the incident (see: Cyberattack Wave on Healthcare Reaches Florida and Maryland).
"Due to the confidential nature of the investigation into this event, we are not able to provide additional details. Law enforcement is aware and investigating," TMH said in a statement to Information Security Media Group.
So far in 2023, at least six U.S. healthcare systems with a total of 14 hospitals have been affected by ransomware, and at least five of those organizations experienced data theft, said Brett Callow, threat analyst at security firm Emsisoft.