Meanwhile, Ohio-based Memorial Health System struggles to get back online after a ransomware attack.
By Kat Jercich for Healthcare IT News
The University of New Mexico Health System began notifying patients earlier this month about a recent cybersecurity incident resulting in potential data exposure.
According to the system’s report to the U.S. Department of Health and Human Services Office of Civil Rights, 637,252 individuals were affected.
UNM Health said that on May 2, an unauthorized third party gained access to its network and could have accessed or obtained certain files. The health system discovered the breach on June 4, more than a month later.
“One of the more disparaging and difficult issues with data breaches is the revelation of how long the cybercriminals were inside the organization’s network undetected,” observed James McQuiggan, security awareness advocate at the training vendor KnowBe4.
“Part of the cybercriminal’s repertoire is to silently work through an endpoint to the critical systems by using exploits and stolen credentials,” McQuiggan added.
After reviewing the files, UNM Health determined that some patient information – such as names, addresses, dates of birth, medical record or patient identification numbers, health insurance information and limited clinical information regarding care – was contained within them. Some patients’ Social Security numbers also were involved.
UNM Health’s electronic health record was not accessible, said officials, who did not share any more details about the nature of the incident.
“UNM Health takes this issue very seriously and is taking steps to help ensure something like this does not happen again. UNM Health has provided additional education to staff and is enhancing the security of its systems and the information it maintains,” wrote representatives in a notice posted to the health system’s website.
A cyberattack at Memorial Health
Halfway across the country, Memorial Health System’s health services were disrupted by a ransomware attack reportedly carried out by the Hive ransomware gang.
“Memorial Health System is a nonprofit organization, which makes it an even more attractive target for cybercriminals because nonprofits are often viewed as having lower defensive maturity and limited cybersecurity expertise,” observed Stephan Chenette, cofounder and chief technology officer at the security optimization platform AttackIQ.
The attack, which was discovered early Sunday morning, forced the Ohio-based Memorial to suspend user access to IT applications. The health system canceled all urgent surgical cases and all radiology exams for Monday, with all primary care appointments held as scheduled.
Staff at Memorial’s hospitals – Marietta Memorial, Selby and Sistersville General Hospital – also had to rely on paper charts while systems were restored.
“Maintaining the safety and security of our patients and their care is our top priority and we are doing everything possible to minimize disruption,” said Memorial Health System President and CEO Scott Cantley in a statement.
“At this time no known patient or employee personal or financial information has been compromised,” he added. “We are continuing to work with IT security experts to methodically investigate to precisely understand what happened and are taking the appropriate actions to resolve any and all issues.”
As of Wednesday, no updates had been posted to Memorial’s website or Facebook page about system restoration.