Cybersecurity Attacks on Altus Hospital in Baytown and Southwest Washington Regional Surgery Center


Altus Hospital located in Baytown, Texas had been attacked by ransomware, which encrypted much of the hospital data records.

The attack did not have an impact on the electronic medical record system of the hospital. But some patients’ protected health information (PHI) were contained in the encrypted files. The affected PHI included names, addresses, phone numbers, dates of birth, Social Security numbers, credit card details, driver’s license numbers, and healthcare data.

Altus Hospital became aware of the ransomware attack on September 3, 2018 and got a ransom demand. But the hospital used backups to restore all affected files with the assistance of a third-party security consultant.

The investigator confirmed that the attacker was able to access the hospital’s servers prior to deploying a variant of the Dharma ransomware. Altus Hospital is convinced that the primary aim of the attack was extortion of money and there was no data access or patient data theft that occurred. Altus Hospital has been improving their cybersecurity defenses with the help of external risk and security consultants.

Although the attack was restricted to the servers of Baytown hospital, the hospital’s servers had some data that came from a number of affiliated entities: Zerenity Baytown, LP, Altus Women’s Center of Baytown, LP, Oprex Surgery (Baytown), LP, Clarus Imaging (Beaumont), LP, Clarus Imaging (Baytown), LP, and Altus Radiation Oncology Baytown, LP.

Southwest Washington Regional Surgery Center found out that an unauthorized person got access to an employee’s email account because of a phishing attack. The hacker accessed the email account on May 27, 2018 until August 13, 2018. Southwest Washington Regional Surgery Center had a forensic team investigate the breach and did a manual review of all the emails contained in the exposed account. On September 25, it was confirmed that the email account contained the PHI of 2,393 patients.

The types of information that was possibly accessed were different from one patient to the next. The compromised information potentially included names, Social Security numbers, driver’s license numbers, diagnoses, treatment data, particulars of the surgical procedures performed, prescribed medicines, laboratory test results, and medical insurance details. The credit card numbers of a number of patients were also likely compromised.

Southwest Washington Regional Surgery Center offered all patients whose Social Security number were compromised complimentary credit monitoring and identity theft restoration services. All passwords of the center have been updated and better email access protocols were implemented to stop other phishing attacks.