Phone service has been restored at PIH Health’s three hospitals where a debilitating ransomware attack purportedly compromised 17 million patient records.
The Dec. 1 breach downed computers and most phone systems at PIH Health Downey Hospital, PIH Health Whittier Hospital and PIH Health Good Samaritan Hospital in Los Angeles. It also compromised systems at the organization’s urgent care centers, doctors’ offices and a home health and hospice agency.
PIH announced on its website that services at hospitals for incoming and outgoing calls are available, while phone systems at physician offices should be functional this week.
“We are still facing some limited functionality, which we are working on internally,” PIH said in the statement. “However, patients can call the hospitals’ main phone numbers to reach services and patient rooms.”
PIH said it has increased staffing to handle an anticipated high volume of phone calls, but noted some medical procedures and surgeries may be cancelled due to ongoing technology issues.
“We apologize for any inconvenience caused by this incident, and all our teams continue to work diligently to resolve this issue quickly and bring the rest of our systems back online securely,” Amanda Enriquez, a spokesperson for PIH, said in an email.
Last week the Southern California News Group obtained a copy of a threatening typewritten letter purportedly faxed by the unidentified hackers to PIH outlining the scope of the attack.
The cyber thieves said they found PIH’s network “highly vulnerable,” with data stored insecurely on servers, and claimed to have stolen about 2 terabytes of files, documents and reports, including:
- 17 million patient records that include personal and medical information.
- Data for more than 8.1 million “medical episodes” along with patient home addresses, phone numbers, places of employment and medical expenses.
- Lists of confidential diagnoses, test results, patient photos and scans.
- Treatments for thousands of patients, including those diagnosed with cancer.
- PIH’s oncology profitability and monthly volumes.
- Private emails with patients about their treatments and test results.
- About 100 active nondisclosure agreements between PIH and other medical organizations and parties.
- Confidentiality agreements with employees.
It is unknown if PIH has paid a ransom to the hackers. No known group has publicly claimed responsibility for the attack.
PIH said it is working with a cyber forensic specialist and the FBI to unravel the breach.
If the hackers’ claims of stealing 17 million records are accurate, the PIH ransomware attack could potentially become the second-largest health data breach this year, according to bankinfosecurity.com.
The incident marks the second time hackers have successfully targeted PIH.
In June 2019, a targeted email phishing campaign against PIH employees compromised personal and protected health information for nearly 200,000 patients. However, PIH didn’t report the breach to the U.S. Health and Human Services Office for Civil Rights until seven months later.
According to Health Insurance Portability and Accountability Act (HIPAA) regulations, covered entities must report breaches affecting protected health information within 60 days of discovering the breach.
The recent ransomware attack has prompted several law firms to aggressively solicit plaintiffs online for class-action lawsuits against PIH.
“Our attorneys believe that any health entity that collects and stores your sensitive data has a duty to properly protect it from ransomware attacks,” the Lyon Firm, which has offices in Irvine, said in on its website. “If a company is deemed negligent and has not maintained reasonably secure IT security systems, they may be held accountable.”