One-sentence summary:
AvosLocker breached Methodist Family Health of Arkansas in March 2023, affecting 5,000+ patients.
Who was involved?
Methodist Family Health, AvosLocker, and potentially 5,259 patients.
What was the timeline?
March 4, 2023: Breach starts
March 6, 2023: Methodist Family Health detects the breach and quickly ends it
May 2, 2023: Methodist Family Health publishes the notice of data breach on its website
May 3, 2023: Methodist Family Health reports the breach to HHS
What occurred?
AvosLocker ransomware group attacked Methodist Family Health in March 2023, potentially affecting over 5,259 patients and breaching the following sensitive data: “full name, date of birth, date of admission or treatment, home address, account number, diagnosis, service charges, or medication information” (Banner-News, 2023; HackNotice, 2023).
Estimated costs:
Incident response costs, breach notification costs, “outside cybersecurity and privacy specialists”
Involved laws:
Federal: HIPAA and HITECH
State: Arkansas: Ark. Code § 4-110-101 et seq.
Root cause:
TBA or N/A (see disclaimer)
Lessons learned:
TBA or N/A (see disclaimer)
Sources:
5newsonline. (2023, May 15). untitled. 5newsonline.com. https://www.5newsonline.com/video/news/health/methodist-family-health-reports-patient-information-data-breach/527-34608b8a-a68e-4431-bd2b-6d1e85c1bd8a
Banner-News. (2023, May 16). Notice of Data Breach. Magnolia Banner News. Retrieved May 17, 2023, from https://www.magnoliabannernews.com/news/2023/may/16/notice-of-data-breach/
HackNotice. (2023, March 7). Methodist Family Health. Retrieved May 17, 2023, from https://app.hacknotice.com/#/hack/6409d466e6832c637ab2975c
HHS. (2023). Cases Currently Under Investigation. In Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. U.S. Department of Health and Human Services Office for Civil Rights. Retrieved May 17, 2023, from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Methodist Family Health. (2023). Notice of Data Breach. In PRIVACY & HIPAA. Retrieved May 17, 2023, from https://www.methodistfamily.org/patient-privacy-hipaa/