Clarke County Hospital
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
Clarke County Hospital in Osceola, Iowa, experienced a significant data breach that was disclosed to the public in May 2023. The breach was first detected on April 14, 2023, when suspicious activity was observed within the hospital’s computer network. In response, Clarke County Hospital immediately shut off all access to its network and initiated an investigation with the assistance of a third-party cybersecurity firm. This investigation confirmed that an unauthorized party had gained access to the network and that some files containing confidential patient information were accessible to the intruder[1][7][9].
The compromised data included a wide range of personal and health information, such as patients’ first and last names, addresses, dates of birth, health insurance information, medical record numbers, diagnostic information, and protected health information. However, it was noted that electronic medical records, Social Security numbers, banking information, credit card information, and financial information were not involved in the breach[1][7].
Following the discovery of the breach, Clarke County Hospital began the process of reviewing the affected files to determine the scope of the information compromised and which consumers were impacted. On May 17, 2023, the hospital sent out data breach notification letters to all individuals whose information was compromised as a result of the incident. The breach affected over 28,000 patients, making it a significant event in terms of the number of individuals impacted[1][3][11].
The breach was attributed to the Royal ransomware gang, which claimed responsibility for the attack and used it as part of their extortion tactics. The gang listed Clarke County Hospital on their data leak site on April 24, 2023, and even reposted the listing about a week later, actively leaking data that included sensitive information[7].
Clarke County Hospital is a 25-bed critical access hospital that provides a range of medical services to patients in and around Clarke County. The hospital employs more than 60 people and generates approximately $17 million in annual revenue[1]. In the wake of the breach, Clarke County Hospital has emphasized that it has found no evidence that the compromised information has been misused. Nonetheless, the hospital has taken steps to enhance its security practices to prevent similar incidents in the future[9].
Citations:
- https://www.jdsupra.com/legalnews/clarke-county-hospital-notifies-over-1413569/
- https://who13.com
- https://www.hipaajournal.com/28000-clarke-county-hospital-patients-affected-by-april-cyberattack/
- https://web.pulsepoint.org
- https://www.clarkehosp.org/filesimages/Notice%20of%20Data%20Incident.pdf
- https://ripmedicaldebt.org
- https://www.techtarget.com/searchsecurity/news/366538296/Iowa-hospital-discloses-breach-following-Royal-ransomware-leak
- https://who13.com/sports/soundoff/murphys-law/murphys-law-as-clark-approaches-history-a-history-lesson/
- https://www.beckershospitalreview.com/cybersecurity/iowa-hospital-discloses-data-breach.html
- https://www.sandiegouniontribune.com
- https://www.myinjuryattorney.com/clarke-county-hospital-data-breach-alert/
- https://msdh.ms.gov
- https://www.breachsense.com/breaches/clarke-county-hospital-data-breach/
- https://www.cdc.gov/coronavirus/2019-ncov/your-health/covid-by-county.html
- https://www.thegazette.com/state-government/personal-data-for-233000-iowa-medicaid-members-compromised-in-cyber-attack/
- https://www.miamiherald.com