The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Oklahoma Institute of Allergy Asthma and Immunology Halts Operations After Cyberattack

The Oklahoma Institute of Allergy Asthma and Immunology was forced to cease trading while it recovered from a cyberattack, with patients forced to wait to receive medical care or seek treatment at other facilities. The asthma and allergy clinic has been closed for at least two weeks as a result of the attack, but the closure appears to be temporary. The clinic furloughed staff while systems were shut down and efforts are being made to restore systems. The closure was necessary as the clinic was unable to access patient records. The clinic has yet to upload a breach notification to its website or report the breach to regulators, so the extent to which patient data has been compromised is not yet known.

Larger healthcare providers may temporarily divert ambulances and cancel some appointments following a ransomware attack but do not typically halt operations, but smaller healthcare providers may be left with little alternative. Recently, Murfreesboro Medical Clinic & SurgiCenter in Tennessee halted operations for two weeks while recovering from a cyberattack, and a 2022 survey indicated 25% of healthcare organizations would be forced to temporarily halt operations in the event of a ransomware attack.

Uintah Basin Healthcare Hacking Incident Affects Almost 104,000 Patients

The Roosevelt, UT-based health system, Uintah Basin Healthcare, has discovered hackers gained access to its network and may have viewed or obtained the protected health information of 103,974 patients. Suspicious network activity was detected on November 7, 2022, and its digital environment was immediately secured. Third-party cybersecurity experts were engaged to investigate the breach and determined on or around April 7, 2023, that patient data was potentially accessed. The breach notification letter does not state when access to the network was first gained.

The review of the affected files confirmed they contained a range of PHI, which varied from individual to individual. That information related to patients who had received healthcare services between March 2012 and November 2022. The information exposed included names, addresses, dates of birth, Social Security numbers, health insurance information, diagnoses/conditions, medications, test results, and procedure information. The notification process was completed on April 10, 2023.

Get the FREE
HIPAA Compliance Checklist

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

Complimentary credit monitoring and identity protection services have been offered to affected individuals and security has been improved to prevent similar incidents in the future, including the deployment of the SentinelOne endpoint detection and the response tool, which includes 24/7 monitoring.

Asian Health Services Reports Email Account Breach

Asian Health Services in Oakland, CA, has recently alerted patients about a recent data security incident involving an employee’s email account. Suspicious activity was detected in the account on February 13, 2023. The account was immediately secured to prevent further unauthorized access and a forensic investigation was conducted to determine the extent of the incident. The email account was determined to have been compromised between February 7, 2023, and February 13, 2023, with the review of emails and attachments confirming they contained names, medical record numbers, dates of birth, phone numbers, and health information such as diagnoses.

Asian Health Services did not find any evidence to indicate patient data had been compromised but the possibility could not be ruled out. Affected individuals have been offered complimentary credit monitoring, fraud assistance, and remediation services for 12 months. Asian Health Services said a third-party cybersecurity firm has confirmed that the email account can no longer be accessed, and additional email safeguards have been implemented to provide an additional layer of protection.

New Mexico Department of Health Reports Impermissible Disclosure of PHI

The New Mexico Department of Health has recently confirmed there has been an impermissible disclosure of the protected health information of 49,000 deceased patients to a journalist. The journalist requested information subject to the Inspection of Public Records Act and was sent a spreadsheet that included all deaths in New Mexico from January 2020 to December 2021. It was later discovered that the spreadsheet contained protected health information that should not have been disclosed. The Department of Health said the spreadsheet did not contain names, birthdates, addresses, or contact information.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.


Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist