More than 25,000 healthcare patients alerted to potential data breach
The personally identifiable information of more than 25,000 US healthcare patients may have been compromised following a ransomware attack against a drug rehabilitation center.
The Southeastern Council on Alcoholism and Drug Dependence (SCADD), a facility for addiction treatment in Connecticut, said that it had discovered “certain disruptions in its network” on February 18 of this year.
The personal information of 25,148 patients were impacted as a result of the incident, according to the filing made to the US Department of Health and Human Services’ Office for Civil Rights (OCR) – the agency responsible for enforcing US healthcare data protection law.
“SCADD immediately began an investigation to determine the nature and scope of the event,” a security advisory issued by the center reads.
“This investigation included working with third-party forensic experts.”
Names, addresses, Social Security numbers, and medical records are all potentially impacted, the center said, although it has so far seen no misuse of the personal information affected.
SCADD said it is notifying all patients that may have been affected by the incident, but provided no further details.
“The confidentiality, privacy, and security of information is one of SCADD’s highest priorities and the organization takes this matter seriously,” it said, pledging to provide access to free credit monitoring and identify protection services.
The OCR will now conduct a review to determine whether SCADD violated any HIPAA (the Health Insurance Portability and Accountability Act 1996) rules, which creates digital safeguards for consumers’ medical information.
If the center was aware of the incident in February, SCADD fell outside the 60-day period for reporting a breach.
Penalties issued under HIPAA were recently lowered in order to improve data protection enforcement in the healthcare sector.
The Daily Swig has reached out to SCADD for comment.