700,000 Patients Affected by Arizona Medical Center Ransomware Attack

A medical center in Arizona announced it was the victim of a ransomware attack in which the attackers obtained the protected health information [PHI] of approximately 700,000 current and former patients. According to the medical center’s announcement, the attack was detected on April 25, 2022, and affected some of its IT systems.  

Immediate action was taken to contain the attack, and systems were taken offline to prevent further unauthorized access. Law enforcement was notified, and a third-party computer forensics firm assisted with the investigation to determine the nature and scope of the attack.  

The investigation confirmed that the attackers gained access to the medical center’s systems April 21–25, 2022, and, prior to file encryption, a subset of files were exfiltrated from its systems. The PHI in the files included patient names, social security numbers, health insurance information, and limited medical information. The medical center worked with security experts to bring its systems back online as quickly as possible. 

The medical center said it mailed letters to the patients whose information may have been involved in the cybersecurity incident. It is also offering complimentary credit monitoring and identity theft protection services to those who are eligible. Steps have been taken by the medical center to help prevent something like this from happening again.  

Issue: 

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and their business associates conduct a risk assessment of their healthcare organization. The healthcare sector is one of the largest victims of ransomware due to its vulnerability to breach of confidentiality and the critical nature of online patient records. The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. It is imperative that all nursing facilities become proactive in preventing ransomware attacks to avoid data breaches which are reportable in terms of HIPAA requirements.  

Discussion Points: 

  • Review policies and procedures related to HIPAA, PHI, the Privacy Rule, and data integrity. Ensure that they address how to avoid falling prey to security breach efforts by unauthorized individuals, and how to guard against and detect malicious software. Update as new information becomes available. 
  • Train appropriate staff on HIPAA, PHI, and the Privacy Rule, including how to avoid phishing schemes, malware exposures, unauthorized release of PHI, and how to detect malicious software and report such detections. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred, and file the signed training document in each employee’s education file. 
  • Periodically audit to ensure that staff are adhering to data integrity security measures, and to ensure that the facility’s policies and procedures for HIPAA, PHI, and privacy are being followed.