Latest News About Cyberattacks and Email Account Compromise on Healthcare Providers

Ohio Hospital Exposed Nurses and Other Staff to Workplace Violence

The Occupational Safety and Health Administration (OSHA) has confirmed that a children’s hospital based in Columbus, Ohio didn’t sufficiently safeguard healthcare staff from violence in the workplace. Patients assaulted nurses and other medical specialists and their kicks, bites, punches, and other attacks resulted in the serious injuries of staff members.

OSHA investigated the incident in November 2022 after receiving complaints from mental health personnel and nurses at the Big Lots Behavioral Health Pavilion of Nationwide Children’s Hospital. The complaints were because of the serious injuries they suffered because of violent patient issues, which include concussions, lacerations, and sprains. Nationwide Children’s Hospital is the second-biggest pediatric hospital in the U.S. and manages 68 facilities across Ohio and gets more than 1.5 million patient consultations annually. The Big Lots Behavioral Health Pavilion offers acute behavioral healthcare services with its intensive outpatient solutions.

OSHA established that workers at the facility were subjected to the danger of workplace violence because of inadequate security measures. Incidents such as groping, punching, biting, kicking, scratching, and head-butting caused serious injuries to several employees at the time of the admission procedure. The facility additionally was unable to keep appropriate records regarding injuries to its workers at work.

OSHA gave a citation for a major violation because of the inability to safeguard its employees from workplace violence and another major violation associated with records of occurrences of workplace violence. Corrective measures were suggested to enhance safety at work and $18,000 in fines were proposed. Nationwide Children’s Hospital’s Behavioral Health Pavilion is given 15 days from the day of issuing the citations to abide, ask for an informal meeting with the OSHA Area Director, or dispute the results.

The proposed control actions to enhance security include

  • the creation and setup of a written workplace violence deterrence plan particular to the circumstances and threats at the facility
  • particularly written processes for workers to take when experiencing or addressing a case of workplace violence
  • the creation and setup of standardized patient admission practices to deal with the patient and employees workplace violence
  • controls to keep patients from utilizing furniture as weapons
  • sufficient workforce to securely handle patient acuity changes
  • patient census

OSHA Columbus, Ohio Area Director Larry Johnson said that behavioral healthcare employees may be subjected to risks when dealing with patients who have ailments that could result in violent reactions. Sadly, Nationwide Children’s Hospital did not implement the required safety measures that could have stopped their workers from being hurt.

Idaho Hospitals Reroute Ambulances and Clinic Briefly Closes Because of Cyberattack

Idaho Falls Community Hospital, Mountain View Hospital, and a number of clinics in rural Idaho managed by the same owner were impacted by the latest cyberattack. One clinic, Mountain View RediCare, was temporarily closed while remediating the attack. All other clinics stayed operational but are providing limited services.

The cyberattack was discovered on Memorial Day, and ambulances were rerouted to other hospitals to be safe. The redirection continued until Wednesday as the facilities continue to experience network problems as a result of cyberattacks. The hospitals stayed open with employees using pen and paper to record patient data as the network is not accessible. A representative of Idaho Falls Community Hospital stated patient security is the priority and work continues 24/7 to bring back computer systems access and to clean its systems. At this point, it isn’t possible to say how much time the recovery process will be done and when normal operations will start.

There is no information concerning the nature of the cyberattack, for example, if ransomware was utilized, at this time, and it is too soon to say the degree to which patient data was affected. The hospital affirmed that the quick action of the IT team to control the incident has restrained the effect and has helped to secure patient information.

Ransomware Attack at UI Community Home Care

UI Community Home Care, a division of the University of Iowa Health System, lately sent a security breach report to the HHS’ Office for Civil Rights indicating the exposure and potential theft of the protected health information (PHI) of 67,897 individuals.

The provider detected the security breach on March 23, 2023, after discovering that files were encrypted and cannot be accessed. According to the forensic investigation, there was an unauthorized access to server files that began on or about March 23, 2023, and a number of those files included patient data. The electronic medical record system is independent of the breached servers and wasn’t accessed during the attack.

The data possibly exposed differed from one patient to another and might have contained names along with at least one of these data: birth dates, addresses, telephone numbers, referring doctor, dates of service, medical record number, medical insurance details, billing and claims data, medical history details, and diagnosis/treatment data. When sending notifications, UI Community Home Care did not receive any report of patient data misuse. Security monitoring was increased in response to the breach to stop the same events from happening again.

Email Account Compromise at Grant Regional Health Center

Grant Regional Health Center located in Lancaster, WI, has informed 4,135 patients regarding an employee email account breach. There is no mention in the notification letters about the time of discovery of the breach but it was confirmed by the forensic investigation that unauthorized access to the email account occurred from March 20, 2023 to March 24, 2023.

The audit of the email messages and file attachments in the account concluded on May 9, 2023. Patient names were confirmed to have been compromised together with at least one of these data elements: birth date, financial account details, medical data, medical insurance details, Social Security numbers, and Taxpayer ID number. Grant Regional Health Center stated there is no attempted or actual misuse of patient information found. Email security was upgraded to keep identical breaches from happening again.