You are currently viewing HMC Says Ransomware Attack Turned Into Healthcare Data Breach

HMC Says Ransomware Attack Turned Into Healthcare Data Breach

In an Aug. 22 letter, attorneys for HMC informed the New Hampshire Attorney General that it discovered on July 16 that a server it used to share files with its clients was infected by ransomware.

Protecting patient privacy has always been important due to the sensitivity of the information kept in medical records.

With a privacy-first solution like SkyFlok, organizations can enjoy secure storage for their files and make sure they keep the privacy of their clients’ data when sharing files with them.

In case of a ransomware attack, SkyFlok has a backup plan. Our clients can recover in no time and get easy access to their files as SkyFlok always keeps copies of their files.

Keep your sensitive information private with SkyFlok!

HMC said it paid the attackers for the decryption key, which they provided. HMC decrypted the data without impact on the healthcare management services it provides to clients.

However, HMC then discovered on July 19 that the attackers were “inadvertently provided” a file containing personal information, including names, Social Security numbers, and health insurance plan data, on IBU members. HMC explained that it provides chronic condition management to IBU (Inlandboatmen’s United of the Pacific National Benefit Funds).

HMC did not explain how the file was “inadvertently provided” to the attackers. It also did not say how many individuals were affected beyond the four New Hampshire residents covered by the letter.

HMC notified IBU, which requested that HMC notify those affected as well as regulators on its behalf.

“To help prevent this type of incident from occurring again, HMC is adding enhanced security protocols to its current server, including removing access to the server through Remote Desktop Protocol. It also is migrating its server to another cloud computing service, which will provide additional security,” HMC said in its letter to the NH Attorney General.

Post Office Found Box of Clinic’s Medical Records in House

Gordon Schanzlin New Vision Institute reported to OCR on Aug. 10 that the theft of paper medical records may have affected PHI of 1,130 individuals.

In a statement, the Gordon Schanzlin related that on June 15 it become aware of a US Postal Service raid on a house in Southern California in which a box of medical records containing information on its clients was recovered.

The clinic launched an investigation and concluded that the box was taken by an unauthorized individual from a storage unit in October 2017.

Information that might have been exposed included patient names, addresses, dates of service, medical records, health insurance information, and Social Security numbers.

“In order to increase the security of our patient files, all information has been removed from the storage unit in question and is now stored with additional physical security measures,” the statement said.

Gordon Schanzlin said it is offering victims one year of free credit monitoring and identity restoration services.

Authentic Recovery Center Cops to Email Hacking Incident

California-based Authentic Recovery Center reported Aug. 17 that an email hacking incident exposed PHI on 1,790 individuals.

In a statement, ARC said that it found out on June 21 that an unauthorized third party had gained access to one of its secure email accounts between June 7 and 21, 2018.

For clients, the information exposed included names, an indication that the individual is or was a client or potential client, clinical information, and, for one individual, payment card information.

For employees, the information exposed included names and driver’s license numbers. For two employees, addresses, phone numbers, dates of birth and Social Security numbers might have been accessed.

ARC said it is offering free credit monitoring and identity theft recovery services to affected individuals.

The center said it is “implementing additional safeguards to further secure all email account information and providing additional training about the proper way to secure information systems.”

CoreSource Reports Unauthorized Disclosure of Health Plan Data

CoreSource, an Illinois-based health plan administration service provider, reported to OCR Aug. 3 that an unauthorized disclosure of PHI may have affected 769 individuals.

In a press release, CoreSource said that a file transferred to a client and its vendor containing information about prescription medication claims processed by CoreSource under an employee health plan inadvertently included prescription medication claim information for employees of Bedford Central School District in New York.

“On May 9, 2018, CoreSource transferred the prescription medication claims file to a client in a secure manner. That client then transferred the file to its vendor, who is their business associate, on or around May 15, 2018, also in a secure manner. On May 18, 2018, CoreSource was notified by the vendor that the file contained information about employees of Bedford Central School District,” the release explained.

Information that may have been exposed included member’s name, member plan ID number, relationship to employee, drug code, drug description, pharmacy name, prescription number, service date, paid date, quantity, days’ supply, cost and fee amounts, copay amount, and plan paid amount.

CoreSource said it is providing a year of identity theft protection services for free to those impacted by the breach.


Or go back to

Daniel Lucani

PhD at MIT. Author of 8 patents and applications on network coding. Tech expert 12+ years experience.