An Indiana hospital recently announced that it suffered a healthcare ransomware attack that potentially affected 1.5 million patients. Eskenazi Health began notifying affected individuals on Nov 11, 2021 of the incident after concluding their investigation.

What Do We Know About the Healthcare Ransomware Attack?

Healthcare Ransomware Attack

According to a press release published by Eskenazi Health, their security team became aware of suspicious activity on the hospital’s system on August 4, 2021, and promptly took the network offline. However, upon further investigation into the healthcare ransomware attack, it was discovered that the network had been compromised since May 19, 2021. 

The incident enabled threat actors to steal patient protected health information (PHI) and sensitive employee data, some of which was posted on the dark web.

In a press release announcing the incident the hospital stated, “Eskenazi Health values its patients, employees and providers and is committed to privacy. We quickly engaged an independent forensic team to investigate and contain the incident and to protect against further criminal activity. Eskenazi Health’s forensic team conducted an extensive investigation and assisted Eskenazi Health with mitigation steps to ensure the cyber criminals were no longer on its network. Eskenazi Health also notified the FBI and enabled additional security measures to further enhance its network security. There is no evidence that any files were ever locked by the cyber criminals, and Eskenazi Health did not make a ransom payment to the cyber criminals.”

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

G2 Leader Fall 2024

PHI potentially accessed during the healthcare ransomware attack included names, dates of birth, ages, addresses, telephone numbers, email addresses, medical record numbers, patient account numbers, diagnoses, clinical information, physician names, insurance information, prescriptions, dates of service, driver’s license numbers, passport numbers, facial photos, Social Security numbers, and credit card information.

Although not all patients were affected by the incident, Eskenazi Health thought it best to notify the 1,515,918 patients that it had treated recently of the incident. Patients that had their information posted on the dark web have been sent separate breach notification letters to inform them of such. They have also offered complimentary identity theft and credit monitoring services to all patients.

Preventing Breaches with HIPAA Compliance

HIPAA compliant businesses are inherently more secure. This is because HIPAA dictates minimum security practices that businesses must have in place to protect PHI. Healthcare businesses are also required to track access to PHI to ensure that it is being accessed appropriately, and only by authorized parties. While it seems as though Eskenazi Health had these systems in place, they were likely not adequate as it took them almost three months to detect the suspicious activity. 

To make sure that you are adequately protecting PHI, it is important to conduct an annual HIPAA security risk assessment (SRA). SRAs assess a business’ current security practices against HIPAA standards, uncovering deficiencies that present risks to PHI. HIPAA compliant businesses use the information from conducting their SRA to address security vulnerabilities and better protect PHI.