Home News HMC says ransomware attack turned into a data breach

HMC says ransomware attack turned into a data breach

Ransomware attacks, ransomware, Sinclair Broadcast group

Health Management Concepts (HMC) recently experienced a ransomware attack that quickly turned into a major data breach that compromised the patient’s personal data like names, social security numbers, and health insurance information.

HMC notified the New Hampshire Attorney General that it has discovered, on July 16, a ransomware attack on its server which is used to share files with the clients. The healthcare management vendor provides chronic condition management to IBU (Inlandboatmen’s United of the Pacific National Benefit Funds).

On July 19, HMC revealed that the forensic firm that was engaged to handle the ransomware incident unintentionally provided a file containing personal information like patients’ names, social security numbers, and health insurance plan data of IBU’s members, including social security numbers of four New Hampshire residents.

“To help prevent this type of incident from occurring again, HMC is adding enhanced security protocols to its current server, including removing access to the server through Remote Desktop Protocol. It also is migrating its server to another cloud computing service, which will provide additional security,” HMC said in its letter to the NH Attorney General.

HMC did not clarify how the personal information was provided to the attackers and also did not announced the number of victims affected by the incident apart from the four New Hampshire residents.

In a similar data breach incident, the Lowa-based health system UnityPoint Health fell victim to a data heist that compromised 1.4 million patient records. According to an official statement from the company, the issue began when UnityPoint Health received a series of phishing emails that trapped some employees to provide their sign-in credentials. This gave the hackers unauthorized access to the company’s business email accounts. The organization discovered the incident on May 31, 2018, and notified the victims about the data theft.