Texas Medical Center Breach Affects 640,000Apparent Ransomware Attack Exposed Patient Information
An apparent ransomware incident at a Texas healthcare organization has potentially compromised the protected health information of more than 640,000 individuals.
Abilene, Texas-based Hendrick Health on Jan. 15 reported the hacking incident to the Department of Health and Human Services, according to HHS’ Office for Civil Rights’ HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.
In a breach notification statement issued Jan. 15, the organization says that on Nov. 20, 2020, it identified a “network security threat” that affected patient information and disrupted the operations of its IT systems.
“We immediately took steps to further secure our systems, launched an investigation and notified law enforcement,” the statement says. “Through the investigation, we have determined that an unauthorized party may have accessed patient information between Oct. 10, 2020, and Nov. 9, 2020, including patients’ names, Social Security numbers, demographic and other limited information about patients’ care at Hendrick.”
Hendrick Health says its electronic health record system was not affected. And the incident only affected patients of Hendrick Medical Center and Hendrick Clinic, not patients of the organization's Hendrick Medical Center Brownwood and Hendrick Medical Center South facilities.
Shut IT Networks
Upon discovering the security incident in November, Hendrick issued a statement saying that to fully address the issue, “we have shut down Hendrick IT networks. Our primary goal is to maintain patient safety while administering downtime procedures.”
The statement noted: “Network security threats are an unfortunate reality in our industry, and we have coordinated with industry experts and law enforcement to address the issue to get our networks back up and running.”
During the incident, Hendrick Medical Center's inpatient services, including emergency and critical services, remained available, but some outpatient services needed to be rescheduled.
Hendrick Health did not immediately respond to an Information Security Media Group request for additional details.
Another Recent Ransomware Incident
As of Friday, Hendrick’s hacking incident is the largest breach added to the HHS OCR’s health data breach reporting website so far in 2021.
At least one other apparent ransomware-related breach is among the 15 breaches added to the federal tally so far this year: a hacking incident reported on Jan. 9 by Texas-based Leon Medical Centers LLC affecting 500 individuals. But a Leon Medical Centers breach notification statement indicates that the number of victims could grow as the incident continues to be assessed.
Recent research by security vendor Emsisoft found that at least 560 U.S. healthcare facilities were hit by ransomware in 2020 (see: