A ransomware attack on CHI Health in Omaha, NE resulted in the potential compromise of around 48,000 patients’ protected health information (PHI). CHI Health is a 14-hospital health system.
CHI Health discovered the ransomware attack on August 1, 2019, which impacted an old electronic health record system. The health records of patients who got medical services at the Lakeside Orthopedic Clinic of CHI Health before April 2016 were contained in the EHR system.
Based on investigation reports, the attack resulted in the encryption of a database utilized by the electronic health record system. Though it is very likely that the attackers could have accessed or copied patient data, there is no evidence that data was accessed without authorization or exfiltrated. CHI Health did not receive any report of patient data misuse as well. The only motive behind the attack seems to be the extortion of money from CHI Health.
The following types of data were stored in the database: patient names, contact numbers, addresses, birth dates, Social Security numbers, diagnoses report, treatment data, and other medical data.
CHI Health sent breach notifications by mail to the affected persons and reported the breach to the Department of Health and Human Services’ Office for Civil Rights as well as to other proper authorities.
As a safety precaution, the provider offered all affected people a free subscription to credit monitoring and identity theft protection services for 12 months. CHI Health also took the required steps to avoid similar breaches from happening again in the future.