Imperial Health Ransomware Attack and Lost Laptop Impacts Patients’ PHI


Imperial Health in Southwest Louisiana is a physicians’ network that is announcing the potential compromise of over 111,000 patients’ protected health information (PHI) because of a recent ransomware attack, which was discovered on May 19, 2019. An unauthorized party was able to download ransomware into the network so that files and the Imperial Health’s Center for Orthopaedics (CFO) database were encrypted.

The database stored the PHI of 116,262 patients. Although the investigators found no evidence that data was accessed or stolen, the possibility of a breach of PHI cannot be ruled out. Imperial Health, therefore, decided to issue breach notifications to impacted patients so that they can take the necessary step to reduce any risk of damage.

The database stored information belonging to patients who had received healthcare services at CFO in the past. The data differed from one patient to another and probably included name, phone number, address, birth date, medical record number, diagnoses, treatment data, prescribed medicines, dates of service, treating doctor, other clinical data and Social Security number.

Imperial health already reported the incident to law enforcement and is helping with the investigation. The ransomware has been removed from its network and data has been successfully restored. A new anti-virus software program has been installed to better handle future threats due to malware and ransomware.

Missing Laptop With 1,500 Patients’ PHI
The Philadelphia Department of Behavioral Health and Intellectual Disability Services (DBHIDS) reported the loss of a laptop computer that contains the PHI of around 1,500 patients. The laptop has password protection but not encryption.

A briefcase containing the laptop computer was lost in public transportation. The information contained in the laptop included names, birth dates, MCI numbers, names of service providers, and Medicaid waiver services that the client applied for or was getting.

The 1,500 people affected by the incident received breach notifications on the same day when the laptop went missing and offers to one-year free credit monitoring services. A confirmation from the forensic team stated that the laptop was not employed to access patient files.

It is the policy of DBHIDS to encrypt all laptop computers and it is uncertain why this device was not encrypted. DBHIDS will perform a review and will make sure to encrypt all laptop computers. Employees will be required to undergo a HIPAA Basics training course again, and have additional training on topics focused on security.