From a third-party data breach to the Chicago-based CommonSpirit ransomware attack that shut down IT systems at affiliated hospitals around the country, here are eight health systems that have been affected by a cybersecurity incident since Sept. 30:
- Seattle Children's notified 6,750 patients that some of their protected health information may have been compromised in a ransomware attack against third-party printing vendor Kaye-Smith. The information compromised included names, addresses, provider names, medical record numbers, visits, lab information, guarantor numbers and names of insurance carriers.
- Danville, Pa.-based Geisinger notified 2,857 patients that some of their protected health information may have been compromised in a ransomware attack against third-party printing vendor Kaye-Smith. The information compromised included names, addresses, medical record numbers, dates of service and payment installment plans.
- The Department of Veterans Affairs opened a cyber breach investigation after hard-coded administrator account privileges, encrypted key tokens and specific database table information was published on internet hosting service GitHub in July. The breach occurred after a contractor had allegedly copied source code from a VA-managed GitHub account and published it on their own personal GitHub account.
- Seattle-based UW Medicine notified 3,800 patients that some of their protected health information may have been compromised in a ransomware attack against third-party printing vendor Kaye-Smith. On Aug. 24, Kaye-Smith notified UW Medicine that the breach resulted in unauthorized access to files containing patient data from UW Medicine's patient account and support services statements and letters related to billing services. The information compromised includes names, addresses, account numbers, medical record numbers, treatment provider names and descriptions of medical services.
- After more than a week of IT outages at CommonSpirit Health hospitals across the country, the Chicago-based system confirmed on Oct. 14 that it had fallen victim to a ransomware attack. CommonSpirit said upon discovering the ransomware attack it took steps to protect its systems, including taking certain ones offline, including EHRs. The health system said it is also working with cybersecurity specialists and law enforcement to investigate and respond to the incident and determine "any data impacts."
- Tacoma, Wash.-based MultiCare Health System said that some of its employees' personal data was compromised in a ransomware attack against third-party printing vendor Kaye-Smith. MultiCare was notified Sept. 30 that the names, addresses and Social Security numbers for "a number" of current and former employees were stolen in the cyberattack.
- Raleigh, N.C.-based WakeMed notified patients that some of their data may have been inadvertently sent to Facebook. The health system installed Facebook's Meta Pixel tracker on its website and MyChart patient portal in March 2018, which may have transmitted some of the information entered into the MyChart patient portal and appointment scheduling page back to the company, according to WakeMed.
- Ridgewood, N.J.-based Valley Hospital notified patients that some of their personal information was compromised after documents at an outpatient COVID-19 testing facility were improperly discarded.