Breach Notification , Healthcare , HIPAA/HITECH

Florida Hospital Begins Breach Notification Post-Attack

Tallahassee Memorial Says Patient Data 'Obtained' in February Security Incident
Florida Hospital Begins Breach Notification Post-Attack
Tallahassee Memorial HealthCare is notifying individuals of a breach in the wake of a data security incident in February that disrupted patient services for about two weeks. (Image: TMH)

A Florida-based community healthcare system has begun notifying about 20,000 individuals whose information was compromised in a data security incident that prompted the organization to operate under its IT downtime procedures, including diverting some emergency patients, for two weeks in February.

See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical

Tallahassee Memorial HealthCare says its investigation into the February incident determined that an "unauthorized person" had gained access to its computer network and obtained certain files from its systems between Jan. 26 and Feb. 2.

Affected information includes names, addresses, birthdates, Social Security numbers, health insurance information, medical record numbers, patient account numbers and some treatment information related to care received at TMH.

No financial account or payment card information was affected and TMH's electronic medical records were not involved in the compromise, the organization says.

TMH is a private, nonprofit entity that operates about 25 facilities serving patients in 17 counties of North Florida and South Georgia, including a psychiatric hospital, specialty care clinics and a 772-bed acute care hospital.

The organization says it first detected "unusual activity" involving its computer systems on Feb. 3, prompting it to operate under its "IT system downtime protocols" for about two weeks. During that time, TMH resorted to using paper documentation instead of electronic health records, diverted some emergency patients to other facilities, and canceled or postponed nonemergency surgical and outpatient procedures.

So far, TMH has not publicly confirmed if the episode involved ransomware, but it says it has worked with law enforcement and state and federal agencies to manage the investigation and recovery from the incident (see: Cyberattack Wave on Healthcare Reaches Florida and Maryland).

"Due to the confidential nature of the investigation into this event, we are not able to provide additional details. Law enforcement is aware and investigating," TMH said in a statement to Information Security Media Group.

So far in 2023, at least six U.S. healthcare systems with a total of 14 hospitals have been affected by ransomware, and at least five of those organizations experienced data theft, said Brett Callow, threat analyst at security firm Emsisoft.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.