Potential PHI Exposure at Capital Region Medical Center and Labette Health

Capital Region Medical Center (CRMC) based in Jefferson City, MO has just confirmed that unauthorized individuals accessed patient information in a cyberattack in December 2021 that led to the shutdown of its internet and phone systems for a number of days.

The cyberattack was discovered on December 17, 2021 due to a problem in its network systems. An investigation was started to know the nature and scope of the incident. A public statement concerning the security incident was given on December 23, 2021. It was uncertain in the beginning whether patient data was exposed nevertheless that is already affirmed at this time.

CRMC stated at this point of the investigation it doesn’t look like the attackers obtained access to its electronic medical record storage system; nevertheless, the files viewed or likely accessed by the hackers contained information like patient names, dates of birth, addresses, medical data, and medical insurance data. A portion of patients likewise had their driver’s license numbers, Social Security numbers, and/or financial account data exposed. That part of patients was given a complimentary 12-month membership to credit monitoring services. CRMC mentioned there was no evidence found at this point that suggests the misuse of any patient information.

CRMC explained it will still take a look at its security procedures and will find opportunities to employ more cybersecurity options to reinforce security and avert identical cyberattacks down the road.

The attack is not yet posted on the HHS’ Office for Civil Rights breach website, thus it is presently unsure how many persons were impacted.

Labette Health Alerts Patients Regarding October 2021 Cyberattack

Labette Health located in Kansas has just reported that unauthorized persons accessed its IT systems between October 15, 2021 and October 24, 2021.

Labette Health stated that it took quick action to protect its network and control the possibilities for further damage. Third-party cybersecurity experts were employed to look into the security breach and find out the nature and extent of the attack. The investigation came to the conclusion on February 11, 2022, that some files and folders stored on its network that included patients’ protected health information (PHI) were accessed by unauthorized people, who might have exfiltrated a few of those files.

The files comprised worker and patient names and at least one of the following types of data: medical treatment and diagnosis details, treatment charges, dates of service, prescription data, Medicare or Medicaid number, health insurance information, and Social Security number.

It’s been four months since the happening of the breach, and currently, Labette Health has not determined any proof of misuse of patient or staff data. Labette Health mentioned on March 11, 2022, written notices were mailed to affected people as a safety measure. Persons whose Social Security numbers were compromised got free credit monitoring services.

Labette Health reported it observed the recommendations of cybersecurity specialists and has toughened network security, enforced tougher password security guidelines and multi-factor authentication for system access, and has enhanced endpoint detection software and made available extra network security and threat detection education to the staffing.

The data breach is not yet published on the HHS’ Office for Civil Rights breach site therefore it is at this time unknown how many persons were impacted.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone