Episcopal Health Services Targeted in Hospital Ransomware Attack

Episcopal Health Services, a major New York hospital system, announced in late 2018 that it had become aware of a significant phishing attackon its system.

According to a statement (titled “Notice of Data Privacy Event”), the company first became aware of suspicious activity in employee email accounts on Sept. 18, 2018. This sparked an immediate investigation to determine the extent of the event and figure out what information may have been impacted.

The investigation, which involved the assistance of third-party forensic investigators, found that certain employee email accounts had been accessed by unauthorized persons for a period of just more than a month, between Aug. 28, 2018, and Oct. 5, 2018.

Unfortunately, the emails potentially impacted in the security breach contained a wide variety of information, including sensitive protected health information, such as:

• Social Security number
• Date of birth
• Financial account information
• Medical history information
• Prescription information
• Medical record number
• Treatment or diagnosis information
• Health insurance information
• Policy number

The types of information compromised varied by the individual.

In response to the incident, Episcopal Health Services said that it “is committed to, and takes very seriously, its responsibility to protect all data entrusted to us.” Therefore, the company said, it would be changing employee email log-in credentials and continuing ongoing security enhancements in order to bolster its security.

Furthermore, “in an abundance of caution,” the company said it would also notify individuals who were potentially affected and offer 12 months of complimentary credit monitoring to help them protect their personal information.

According to the hospital system, it began notifying patients on Nov. 15, 2018, but later began a second round of notifications to additional patients the hospital found were also potentially impacted. In a November 2018 report about the breach to the Department of Health and Human Services, it was reported that a total of 218,055 patient records had been breached, HealthITSecurity.com reported.

The hospital advised patients to “remain vigilant” to the potential consequences of personal information being accessed, such as identity theft and fraud. To do so, the company advised potential victims to regularly review account statements for any suspicious activity and to report any unauthorized charges to banks or credit card companies as soon as possible.

Unfortunately, ransomware attacks like this have become increasingly common in recent years. Major ransomware attacks have reportedly targeted hospitals, schools, and cities—in short, anywhere that might have large databases of personal information.

These attacks can expose the personal information of a vast swath of people at once, and in the case of hospital systems, it can cause a delay in patient care, potentially putting lives at risk, according to a CNN report.

If you were a patient at a hospital, clinic, or other healthcare facility when a medical ransomware attack affected your medical care, you may be able to join a class action lawsuit investigation.

Join a Free Hospital Ransomware Attack Class Action Lawsuit Investigation

If you were a patient at a hospital or healthcare facility affected by a ransomware attack that impacted your medical care, you may qualify to join a hospital ransomware attack class action lawsuit investigation.

Learn More

This article is not legal advice. It is presented
for informational purposes only.