In March 2024, LockBit3.0 added Redwood Coast Regional Center (RCRC) to its leak site. On May 3, RCRC notified HHS of the March 6 incident, reporting that 500 patients had been affected. RCRC only recently updated that report to indicate that 24,937 patients were affected. On or about November 5, they began mailing out letters…
Category: Health Data
In the midst of restructuring, Guardian Healthcare hit by ransomware attack
A recent article on the cybersecurity risks posed by mergers and acquisitions begins: When companies merge, it creates significant cybersecurity challenges in two main ways: firstly, challenges arise in integrating disparate security infrastructures, and secondly, an M&A transaction brings together diverse organizational cultures which presents its own challenges from a cyber perspective. Yet the limited…
Class action ping pong: Dismissal of lawsuit against Chelan Douglas Health District reversed; case goes back to Superior Court
In July 2021, Chelan Douglas Health District in Washington experienced a data breach. They disclosed the breach to the public in March 2022, surprisingly patting themselves on the back for completing their investigation in 6-7 months. A number of media reports indicate that the breach reportedly affected almost 109,000 patients, but the breach was reported…
HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation for $90,000
HHS OCR announced a second ransomware investigation settlement today. This one involved Bryan County Ambulance Authority (BCAA), a provider of emergency medical services in Oklahoma. The Bryan County Ambulance Authority breach occurred in November 2021, but was only first reported to HHS on May 18, 2022. It affected 14,273 patients. HHS’s press release (below) notes…
How many similar breaches can one entity have in one year before regulators do something?
How many data breaches can an entity have before either some regulator steps in with a corrective action plan or something happens to reduce the likelihood of more breaches? Consider the following: Breach # 1 On February 22, 2022, Minuteman Senior Services (MSS) identified suspicious activity related to an employee’s email account. According to the notification…
HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation for $500,000
A press release from HHS OCR today announces a settlement with Plastic Surgery Associates of South Dakota. In July 2017, DataBreaches reported that the entity was notifying 10,200 patients after a ransomware incident. Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Plastic Surgery…