Posted On October 27, 2022 Consumer Privacy & Data Breaches
On October 14, 2022, Ascension St. Vincent’s Coastal Cardiology filed notice of a data breach with the U.S. Department of Health and Human Services Office for Civil Rights after the company experienced what appears to have been a ransomware attack. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, Social Security numbers, addresses, email addresses, phone numbers, insurance information, clinical information, and billing and insurance information. After confirming that consumer data was leaked, St. Vincent’s Coastal Cardiology began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the St. Vincent’s Coastal Cardiology data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Ascension St. Vincent’s Coastal Cardiology.
The available information regarding the Ascension St. Vincent’s Coastal Cardiology breach comes from the company’s filing with the U.S. Department of Health and Human Services Office for Civil Rights, as well as a notice posted on the practice group’s website. According to these sources, on August 15, 2022, Ascension was alerted to a data security incident involving legacy systems related to the recently acquired practice.
In response, the company secured the legacy network and began working with a cybersecurity firm to assist with the company’s investigation. Ascension also reported the incident to law enforcement. However, Ascension’s efforts failed to prevent unauthorized parties from accessing data contained within the system. Notably, none of Ascension’s current computer systems were among those that were compromised. However, because the legacy system was encrypted, Ascension was unable to conclusively determine what data was affected by the breach.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Ascension St. Vincent’s Coastal Cardiology determined that the following patient information may have been contained on the legacy system: names, Social Security numbers, addresses, email addresses, phone numbers, insurance information, clinical information, and billing and insurance information.
On October 14, 2022, Ascension St. Vincent’s Coastal Cardiology sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Ascension St. Vincent’s Coastal Cardiology is a health care practice specializing in heart care located in Brunswick, Georgia. Ascension St. Vincent’s Coastal Cardiology provides patients with a wide range of cardiovascular-related services, including cholesterol health, cardiac rehabilitation, heart surgery, atrial fibrillation, heart rhythm disorders, and vascular surgery. The practice recently became a part of the larger Ascension healthcare network, which is a non-profit Catholic healthcare system based in Austin, Texas. Ascension employs more than 150,000 people and generates approximately $27 billion in annual revenue.
In the letter that Ascension St. Vincent’s Coastal Cardiology sent to those affected by the recent data security incident, the company notes that the leak was caused by a ransomware attack. Ransomware attacks are one of the most common ways cybercriminals orchestrate attacks designed to obtain consumer data. According to the Identity Theft Resource Center (“ITRC”), the number of ransomware attacks more than doubled between 2020 and 2021, increasing from 158 attacks in 2020 to 321 attacks in 2021.
If 321 attacks does not sound like a concerning number, remember that every ransomware attack can impact the personal information of tens of thousands of people. To get a better sense of the scope of the problem, the ITRC reports that over 41 million people fell victim to ransomware attacks in 2021. That’s about 13 percent of the United States population.
Ransomware attacks have been around for decades; however, more recently, the number of ransomware attacks has grown disproportionately when compared to other types of cyberattacks. In part, this is due to technological developments that allow cybercriminals to easily target the most valuable data types, such as Social Security numbers, financial account information, and protected health information.
In a typical ransomware attack, a hacker installs malicious software on a victim’s device. Usually, this is done through a phishing attack or by placing a line of malicious code on the back end of an organization’s website. The malicious software encrypts the data on the device, preventing the victim from logging in. When the victim attempts to log in, they see a message from the hackers demanding a ransom if the organization wants to regain access to their computer network.
More recently, hackers have started taking a more aggressive approach by threatening to publish the stolen data on the dark web if the organization does not pay the demanded ransom. Of course, not every ransomware attack results in consumer data being published on the dark web; however, this isn’t a chance that most organizations (or consumers) are willing to take. Thus, the threat of publishing data adds to an organization’s incentive to pay the ransom—and many organizations end up paying these ransoms. However, the FBI discourages companies from paying ransoms for the same reason the government does not negotiate with terrorists—it emboldens them.
Given the frequency and risks of ransomware attacks, it is important for both consumers and organizations in possession of consumer data to understand what ransomware attacks are, how they can be prevented, and what can be done to limit their effects, including identity theft and other frauds.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the St. Vincent’s Coastal Cardiology data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
Below is a copy of the initial data breach letter issued by Ascension St. Vincent’s Coastal Cardiology (the actual notice sent to consumers can be found here):
Maintaining the privacy and security of our patient’s information is of the utmost importance to Ascension. On August 15, 2022, we were alerted to a security event involving recently acquired Ascension St. Vincent’s Coastal Cardiology’s legacy systems, including the electronic medical record. We immediately secured the legacy network, but unfortunately not before some of the information was encrypted by ransomware. No Ascension networks or systems, including the practice’s current electronic medical record, were affected by this incident.
Upon discovery of this incident we took immediate actions to investigate. We hired a third-party forensic team to assist us with investigating how the perpetrators gained access to encrypt the information. Additionally, we notified law enforcement about the event and will continue to cooperate with them. Our investigation determined that an unauthorized third-party accessed systems within the legacy Coastal Cardiology network. The primary purpose of the legacy network was to retain data, including patient information, to meet regulatory requirements but it was not used for current business operations. At this time, based on our investigation, we do not believe that any information was removed from the systems affected by this event or that it has been misused or shared by the perpetrators.
Unfortunately, because the information was encrypted and we are unable to access it, we are unable to determine exactly what information was affected. However, the legacy record would have contained individuals’ demographic and health information related to visits at Coastal Cardiology prior to October 5, 2021, including: name, address, email address, phone number, and insurance information, as well as Social Security number (if provided), clinical information, and billing and insurance information.
Although there is no indication that the information has been misused, we are offering free credit and identity theft protection services to affected individuals. We advised individuals on steps they can take to protect their information, including obtaining free credit reports, placing a security freeze on credit reports, and contacting appropriate oversight agencies. Ascension has also taken steps to ensure a similar incident does not happen again by initiating a security risk assessment, realigning staff responsibilities, removing access rights to the legacy system and retraining associates.
If you have additional questions, please contact the dedicated assistance line toll free at (855) 532-1247, Monday through Friday from 8:00 a.m. to 5:30 p.m. Central Time, excluding U.S. Holidays.