Ascension, a U.S. hospital chain, has recently submitted its initial breach report following a ransomware attack on May 8 that resulted in the theft of data from seven servers impacting patient care services across multiple states. The incident affected at least 500 individuals, and the organization is currently working with third-party experts to assess the extent of the data compromised.

The breach report, filed with the U.S. Department of Health and Human Services on July 3, is a necessary step to comply with the 60-day breach notification deadline for incidents involving protected health information affecting 500 or more individuals. Ascension emphasized that the report is preliminary and will be updated once a comprehensive review of the impacted data is completed, after which affected individuals will be notified in accordance with legal requirements.

The analysis of the breached data is expected to take several more weeks, underscoring the complexity involved in investigating and responding to such incidents. The ransomware attack was attributed to a Russian-speaking group, although Ascension has not officially confirmed the identity of the attacker. Following the discovery of the breach, the organization took swift action to shut down its IT systems in the affected regions until restoration was completed.

On the other hand, Change Healthcare, the IT services unit of UnitedHealth Group, is facing a similar situation after a cyberattack in February. The company is yet to file a breach report with federal regulators or commence the notification process for the millions of individuals potentially impacted by the breach. Although Change Healthcare issued a substitute breach notice to healthcare sector clients last month, individual notifications are not expected to begin until late July.

The delay in reporting and notifying affected individuals is a common challenge faced by organizations dealing with significant cyber incidents like ransomware attacks. Regulatory attorney Sara Goldstein emphasized the importance of transparency and timely communication in such situations to mitigate the risks of identity theft and other fraud crimes. Change Healthcare is actively updating stakeholders on the incident and collaborating with regulators to expedite the notification process.

State attorneys general have issued warnings to consumers about potential risks stemming from the data stolen in the Change Healthcare attack, urging the company to enhance protections for affected entities and individuals. The incident, which involved a substantial ransom payment, underscores the pervasive impact of cyber threats on healthcare organizations and the critical need for robust security measures.

As investigations continue and more information emerges, organizations like Ascension and Change Healthcare are navigating the complexities of breach response and compliance with regulatory requirements. The evolving nature of cyber threats highlights the importance of proactive cybersecurity measures and effective incident response strategies to safeguard sensitive data and protect individuals from harm.

Source link