Cybersecurity News Roundup: OneBlood Recovers From Ransomware Attack, Change Begins Sending Breach Notifications
This week brought some positive news for hospitals and health systems in the southeastern United States that rely on blood supplies, with critical networks back online after an August 1 ransomware attack that shut down provider OneBlood. In addition, a 2019 breach of a Supreme Court justice’s protected health information by an alleged insider was brought to federal court and resulted in a conviction.
In other news, the U.S. Department of Health and Human Services has accepted a breach notification from Change Healthcare that says the number of individuals affected is at least 500 after ransomware caused a nationwide outage in claims payments, disrupting care and exposing the PHI of millions of patients.
OneBlood Online Critical Software
An Orlando-based blood supplier said its network has been partially restored following a ransomware attack and is encouraging blood donations as Tropical Storm Debby threatens the region, according to a report from CBS Miami News in Monday.
“The top priority is to get the software system used to manage the blood supply back up and running, and the team has been working around the clock to make that happen,” Susan Forbes, OneBlood’s senior vice president of corporate communications and public affairs, said in an update Tuesday.
“At this time, our operations of processing and distributing blood products to hospitals are close to normal,” she said.
OneBlood, a company that distributes blood to more than 250 hospitals in the southeastern United States, has become the third target of ransomware attacks on blood suppliers in recent months. That has prompted the American Hospital Association to warn U.S. hospitals to make contingency plans for their blood supplies.
“The blood supply cannot be underestimated,” Forbes said in an update on the ransomware incident.
“In a moment, any of us could find ourselves the recipient of a blood transfusion.”
The company stated in its FAQ that it does not yet have information on whether donors’ personal information was compromised in the July 29 attack.
Change reporting to HHS
Nearly five months after a ransomware attack forced Change Healthcare to shut down, parent company United Health Group reported the data breach to the HHS Office for Civil Rights.
UHG reported that 500 individuals were affected. However, mandatory data breach reporting came after the healthcare clearinghouse began sending breach notifications directly to affected patients on July 31.
The scale of the breach is believed to have affected millions of patients, and in June, OCR said Change had a responsibility to notify affected patients of the stolen information.
That month, the company sent notices to customers whose member or patient data was implicated in the attack.
While the agency had previously opened an investigation into the breach, it recently said data analysis to understand the extent of the breach is still underway.
“Change Healthcare’s breach report to OCR identified approximately 500 individuals as the number of individuals affected,” the agency said on Change Healthcare’s Cybersecurity Incident FAQ page.
“Change Healthcare is still determining the number of individuals affected,” the agency said, noting that the information on the HHS Breach Portal will be revised if Change Healthcare updates the total number of individuals affected.
On May 1, UnitedHeath Group CEO Andrew Witty explained to Congress why he decided to pay the $22 million ransom in Bitcoin, adding that the company did not have access to the stolen data until mid-March.
“We are working tirelessly to uncover and understand every detail possible, and we will use this information to strengthen our cyber defenses like never before,” he told lawmakers.
Justice for Ginsburg’s Data Breach
Last week, a federal court convicted Trent James Russell of Arlington, Virginia, a former military medic who worked as an organ transplant coordinator, of accessing and publicly disclosing the health information of U.S. Supreme Court Justice Ruth Bader Ginsburg in July 2019.
Russell is accused of posting screenshots of his cancer care information, including the dates of his radiation treatments.
The screenshot first appeared on the 4chan message board during a discussion suggesting that Justice Ginsburg, who died on September 18, 2020, had died a year earlier in a plot to prevent then-President Donald Trump from selecting a new justice.
Then this image started circulating on the Internet.
Russell has pleaded not guilty and said he never accessed her medical records at George Washington University Hospital in Washington, DC, where she was undergoing radiation and other cancer treatments. WRAL News the report said.
According to the story, he testified that he and his colleagues shared passwords to bypass technical requirements that slowed the donation process. But prosecutors said he tried to destroy evidence after his remote access was disabled and moved to Nebraska.
Russell faces a maximum sentence of 20 years in prison when he is sentenced on November 7.
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.
The HIMSS Healthcare Cybersecurity Forum is scheduled to take place October 31 through November 1 in Washington, DC. Learn more and register.
