Brooklyn Hospital Center Malware Attack and Washington University School of Medicine Unauthorized PHI Access

by

A security breach has been announced by Brooklyn Hospital Center in New York. The incident that transpired in late July 2019 involved the installation of malware on some servers of the hospital.

The prompt discovery of the attack limited the harm caused as safety action steps were taken. However, a number of files were still encrypted.

A third-party digital forensics company investigated the nature and magnitude of the malware attack and helped with the retrieval of encrypted files. After ‘exhaustive efforts’ to retrieve the encrypted files, the company revealed on September 4 that it was impossible to recover some patient data.

The hospital center did not lose all medical records, but a number of dental and cardiac images of patients are gone. The hospital is presently reviewing its records to identify the affected patients and notify them in due time. As in other ransomware attacks, the intention of the attackers seems to be the extortion of money from the hospital and not the access to patient data. There was no report received that patient information was misused. The forensic investigators also did not uncover any evidence that suggests the access or exfiltration of patient information by the attackers.

Brooklyn Hospital Center previously installed rigid security controls to evade cyberattacks, but the attackers circumvented those controls in this instance. Policies, procedures, and current security practices are being reviewed and security control enhancements are being planned to avoid other breaches from happening again.

Washington University School of Medicine Unauthorized PHI Access

Washington University School of Medicine (WUSM) found out that an unauthorized person used an employee’s personal laptop computer to access a WUSM email account that has the protected health information (PHI) of several Department of Ophthalmology and Visual Sciences patients.

The unauthorized person who accessed the email account from April 29, 2019 to September 3, 2019 was found to have a personal relationship with the WUSM employee. A third-party company conducted a forensic investigation to know what data the account contained, which may have been accessed. The investigators learned that the email messages and attachments contained patients’ names, dates of birth, medical record numbers, names of providers, and some treatment and clinical data, including diagnoses and prescription details. Some patients’ Social Security numbers and health insurance details were likewise potentially exposed.

The investigators did not determine which email messages and attachments were opened, thus it was decided that all people whose PHI was potentially compromised should be notified. Any person whose Social Security number may have been exposed were offered free credit monitoring and identity theft protection services.

WUSM became aware of the breach on September 3, 2019, after reports that certain patients reported receiving a letter concerning one employee of the Ophthalmology Department. The succeeding investigation resulted in the exposure of the security breach. It is uncertain why those people were got in touch with.

Since the incident, WUSM has implemented more security improvements and has re-trained employees about password guidelines.

The Department of Health and Human Services’ Office for Civil Rights’ breach portal has not published the incident yet, so the number of patients affected by the breach is presently unknown.