Potential Cyberattacks on Ascension, Palomar Health Medical Group and Georgia Institute for Plastic Surgery

Ascension Cyberattack Investigation

Ascension, the biggest nonprofit and Catholic health system in America, stated it is looking into a suspected cyberattack that has interrupted clinical operations. As a safety precaution, business associates have been instructed to disconnect from its systems. The Google-owned cybersecurity company Mandiant assisted with the investigation and remediation initiatives and the appropriate authorities were informed regarding the supposed cyberattack.

Ascension applied its incident response procedures when abnormal activity was discovered in parts of its systems and is presently evaluating the effect and duration of the disruption. That process has required taking specific systems offline. Policies and protocols were created and employees were trained on giving care without using IT systems. Steps have been taken to decrease the impact on patients and make sure patient care is safely given. Several Ascension hospitals have diverted their emergency ambulances to alternative facilities.

Ascension manages 142 hospitals, 40 senior living facilities, and more than 2,600 care sites in the District of Columbia and 19 states. It is currently not clear how many facilities were affected although there have been news reports suggesting that hospitals in several states are having disruption, with workers at those hospitals reporting that charting, booking, and prescription writing systems were impacted.

Ascension stated the strange activity was noticed within its network on May 8, 2024, and presented a summation of its actions in reply to the suspected cyberattack. However, few details concerning the attack have been provided, for example, whether the cyberattack involved ransomware. At this early phase of the investigation, it is uncertain to what degree, if any, patient information has been compromised. A spokesperson for Ascension mentioned patients will be informed when it is confirmed that sensitive patient information has been exposed and further information regarding the incident and its effect will be disclosed as the investigation advances.

Potential Cyberattack on Palomar Health Medical Group

Palomar Health Medical Group, a company providing primary and specialty care in North San Diego County, CA, is looking into a potential cyberattack following the discovery of suspicious activity inside its computer system. The strange activity was seen on May 5, 2024, prompting the disconnection of the impacted systems from the web to control any malware.

Because of breach response procedures, the patient website, telephones, and faxes are inaccessible. With the majority of communication systems unavailable, patients were instructed to see their doctors face-to-face and to count on delays because of the disruption. Third-party cybersecurity professionals are investigating the incident to determine the cause of the disruption, and the network will be restored online if it is safe. At this point of the investigation, it is still not possible to tell if patient information was exposed.

The incident seems to be limited to Palomar Health Medical Group. It did not impact the Palomar Health Healthcare District, including Palomar Medical Center Escondido and Palomar Medical Center Poway.

Theft of Georgia Institute for Plastic Surgery Patients Data

The Georgia Institute for Plastic Surgery based in Savannah, GA, has informed 8,111 present and past patients about the theft of some of their PHI by an unauthorized person who acquired access to a system server on December 30, 2023. The attack was discovered on or about February 22, 2024. A third-party cybersecurity company affirmed that the attacker accessed the server using a remote desktop.

The server stored files that contained patients’ complete names, addresses, birth dates, telephone numbers, patient account numbers, diagnosis codes, and/or procedure codes. In compliance with HIPAA breach notification rules, notification letters were sent to affected persons on April 24, 2024, and they were instructed what to do to minimize the risk of misuse of their data.

Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA