Cyberattacks Reported by Montgomery General Hospital, Adelanto HealthCare Ventures, and Tallahassee Memorial Healthcare

Montgomery General Hospital Suffers Ransomware Attack and Data Leak

Montgomery General Hospital located in West Virginia encountered a cyberattack that allowed unauthorized persons to access its IT systems on or about February 28, 2023, and install ransomware on or about March 1, 2023. The attackers were able to access some servers, extract files, and encrypt information. Montgomery General Hospital hired a third-party security company to help investigate and find out the scope of the breach. It was confirmed that the attack did not affect its cloud-based electronic medical record system. Most of the extracted files included historical information, cost reports, budget documents, and vendor payments; nevertheless, some of the files included patient data.

At this point of the investigation, the scope of compromised patient data is still unknown. The hospital will be sending the notifications to impacted patients prior to the 60-day reporting deadline imposed by the Breach Notification Rule. Credit monitoring services will be offered to persons who had their Social Security numbers compromised. Montgomery General Hospital stated it temporarily took down its electronic medical record system as a safety precaution. However, access was immediately restored and so the attack did not impact patient care. A hospital representative confirmed that the attacker demanded a ransom payment worth $750,000. However, the victim did not pay the ransom as per the advice of authorities and because of the historical nature of the breached information. The hospital’s investigation shows that the security incident began with a phishing attack and the hospital knows that part of the stolen records was posted on the ransomware gang’s data leak website.

The D#nut ransomware group stated that it is responsible for the cyberattack and that it had negotiated with the hospital. However, the group lost patience and began publishing part of the stolen information on its data leak website. A ransomware group member contacted DataBreaches and provided a link to the published information. It was confirmed that the published files contained employee information. Access to the information was obtained by taking advantage of a Microsoft Exchange vulnerability.

The incident is not yet posted on the HHS’ Office for Civil Rights breach website, hence, the magnitude of the exposed or compromised patient data is still unknown.

Hospitals Inform Their Patients About Adelanto HealthCare Ventures Phishing Attack in 2021

A number of hospitals have begun informing patients concerning a data breach that occurred at Adelanto HealthCare Ventures (AHCV). AHCV has consulting offices located in Nashville, Tennessee, Washington D.C., and Austin and Laredo in Texas. It provides transactional advisory assistance and other services. AHCV provided services to an unnamed business associate of the impacted hospitals. Based on the breach notifications that the hospitals recently issued, their business associate gave AHCV claims data on their patients to enable AHCV to carry out its contracted services.

On November 5, 2021, AHCV found out that unauthorized persons accessed two employee email accounts after the employees clicked the phishing emails. AHCV investigated the data breach with the initial conclusion that the email accounts didn’t include any protected health information (PHI). On December 21, 2021, AHCV learned that one of the email accounts indeed contained patient data that could have been viewed during the attack. AHCV only confirmed on August 19, 2022, to its business associate the potential compromise of some PHI.

The business associate started an investigation together with AHCV to get more information regarding the compromised PHI and the people impacted. However, there is not enough to perform its assessment until December 27, 2022. The business associate then notified the affected hospitals on January 28, 2023. The hospitals began sending breach notification letters two months after the end of March, which means the letters were sent 16 months after the breach happened. The following data elements were compromised: Name, Medicaid client ID, Medicaid claim ID, facility name, care plan name, Medicaid program, birth date, gender, dates of admission and discharge, mental health comorbidity, and medical and diagnosis data.

AHCV has improved its security measures and has given its employees additional security awareness training. There were no discovered patient data misuse because of the incident; nevertheless, as a safety measure, impacted persons are provided free credit monitoring and identity theft restoration services for one year.

The number of affected hospitals/healthcare providers and patients is presently uncertain. To date, the following hospitals have reported the data breach:

  1. St. Luke’s Health (TX) – 16,906 individuals affected
  2. Doctors Hospital of Laredo (TX) – 500 (potentially placeholder) individuals affected
  3. Fort Duncan Regional Medical Center (TX) – Unknown
  4. McAllen Hospitals dba South Texas Health System (TX) – Unknown
  5. Northwest Texas Healthcare System (TX) – Unknown
  6. The Vines Hospital (FL) – Unknown
  7. Suncoast Behavioral Health (FL) – Unknown
  8. Texoma Medical Center (TX) – Unknown
  9. Coral Shores Behavioral Health (FL) – Unknown
  10. River Point Behavioral Health (FL) Unknown

Patient Data Stolen in Tallahassee Memorial Healthcare Cyberattack

Non-profit health system Tallahassee Memorial Healthcare (TMH) in North Florida and South Georgia encountered a cyberattack at the end of January. It had to operate following emergency downtime procedures for about two weeks. Based on its breach notification, TMH discovered strange system activity on February 3, 2023, and secured its systems. A third-party cybersecurity company investigated the breach and learned that unauthorized persons got access to its network from January 26 to February 2, 2023, and extracted files. Cyberattacks like this usually involve ransomware, but the use of ransomware is not confirmed. TMH didn’t give more information on the particular nature of the cyberattack.

The analysis of the stolen data is already complete. TMH has now sent notification letters to the affected individuals concerning the incident on March 31, 2023. The compromised data included names, addresses, birth dates, Social Security numbers, medical insurance data, patient account numbers, medical record numbers, and/or some treatment data. TMH stated that the attack did not affect its electronic medical record system.

The data breach is not yet posted on the HHS’ Office for Civil Rights breach portal. Hence, the exact number of impacted persons is still unknown. However, it is estimated to be approximately 20,000 persons. Free credit monitoring and identity protection services is provided to those who had their Social Security numbers exposed during the attack.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone