Fraud Management & Cybercrime , Incident & Breach Response , Managed Detection & Response (MDR)

Texas Medical Center Breach Affects 640,000

Apparent Ransomware Attack Exposed Patient Information
Texas Medical Center Breach Affects 640,000
An apparent ransomware incident at Hendrick Medical Center in Texas led to a data breach potentially affecting 640,000.

An apparent ransomware incident at a Texas healthcare organization has potentially compromised the protected health information of more than 640,000 individuals.

See Also: Double-Click on Risk-Based Cybersecurity

Abilene, Texas-based Hendrick Health on Jan. 15 reported the hacking incident to the Department of Health and Human Services, according to HHS’ Office for Civil Rights’ HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.

In a breach notification statement issued Jan. 15, the organization says that on Nov. 20, 2020, it identified a “network security threat” that affected patient information and disrupted the operations of its IT systems.

“We immediately took steps to further secure our systems, launched an investigation and notified law enforcement,” the statement says. “Through the investigation, we have determined that an unauthorized party may have accessed patient information between Oct. 10, 2020, and Nov. 9, 2020, including patients’ names, Social Security numbers, demographic and other limited information about patients’ care at Hendrick.”

Hendrick Health says its electronic health record system was not affected. And the incident only affected patients of Hendrick Medical Center and Hendrick Clinic, not patients of the organization's Hendrick Medical Center Brownwood and Hendrick Medical Center South facilities.

Shut IT Networks

Upon discovering the security incident in November, Hendrick issued a statement saying that to fully address the issue, “we have shut down Hendrick IT networks. Our primary goal is to maintain patient safety while administering downtime procedures.”

The statement noted: “Network security threats are an unfortunate reality in our industry, and we have coordinated with industry experts and law enforcement to address the issue to get our networks back up and running.”

During the incident, Hendrick Medical Center's inpatient services, including emergency and critical services, remained available, but some outpatient services needed to be rescheduled.

Hendrick Health did not immediately respond to an Information Security Media Group request for additional details.

Another Recent Ransomware Incident

As of Friday, Hendrick’s hacking incident is the largest breach added to the HHS OCR’s health data breach reporting website so far in 2021.

At least one other apparent ransomware-related breach is among the 15 breaches added to the federal tally so far this year: a hacking incident reported on Jan. 9 by Texas-based Leon Medical Centers LLC affecting 500 individuals. But a Leon Medical Centers breach notification statement indicates that the number of victims could grow as the incident continues to be assessed.

Recent research by security vendor Emsisoft found that at least 560 U.S. healthcare facilities were hit by ransomware in 2020 (see:

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.