Clarke County Hospital

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Clarke County Hospital in Osceola, Iowa, experienced a significant data breach that was disclosed to the public in May 2023. The breach was first detected on April 14, 2023, when suspicious activity was observed within the hospital’s computer network. In response, Clarke County Hospital immediately shut off all access to its network and initiated an investigation with the assistance of a third-party cybersecurity firm. This investigation confirmed that an unauthorized party had gained access to the network and that some files containing confidential patient information were accessible to the intruder[1][7][9].

The compromised data included a wide range of personal and health information, such as patients’ first and last names, addresses, dates of birth, health insurance information, medical record numbers, diagnostic information, and protected health information. However, it was noted that electronic medical records, Social Security numbers, banking information, credit card information, and financial information were not involved in the breach[1][7].

Following the discovery of the breach, Clarke County Hospital began the process of reviewing the affected files to determine the scope of the information compromised and which consumers were impacted. On May 17, 2023, the hospital sent out data breach notification letters to all individuals whose information was compromised as a result of the incident. The breach affected over 28,000 patients, making it a significant event in terms of the number of individuals impacted[1][3][11].

The breach was attributed to the Royal ransomware gang, which claimed responsibility for the attack and used it as part of their extortion tactics. The gang listed Clarke County Hospital on their data leak site on April 24, 2023, and even reposted the listing about a week later, actively leaking data that included sensitive information[7].

Clarke County Hospital is a 25-bed critical access hospital that provides a range of medical services to patients in and around Clarke County. The hospital employs more than 60 people and generates approximately $17 million in annual revenue[1]. In the wake of the breach, Clarke County Hospital has emphasized that it has found no evidence that the compromised information has been misused. Nonetheless, the hospital has taken steps to enhance its security practices to prevent similar incidents in the future[9].

Citations:

  1. https://www.jdsupra.com/legalnews/clarke-county-hospital-notifies-over-1413569/
  2. https://who13.com
  3. https://www.hipaajournal.com/28000-clarke-county-hospital-patients-affected-by-april-cyberattack/
  4. https://web.pulsepoint.org
  5. https://www.clarkehosp.org/filesimages/Notice%20of%20Data%20Incident.pdf
  6. https://ripmedicaldebt.org
  7. https://www.techtarget.com/searchsecurity/news/366538296/Iowa-hospital-discloses-breach-following-Royal-ransomware-leak
  8. https://who13.com/sports/soundoff/murphys-law/murphys-law-as-clark-approaches-history-a-history-lesson/
  9. https://www.beckershospitalreview.com/cybersecurity/iowa-hospital-discloses-data-breach.html
  10. https://www.sandiegouniontribune.com
  11. https://www.myinjuryattorney.com/clarke-county-hospital-data-breach-alert/
  12. https://msdh.ms.gov
  13. https://www.breachsense.com/breaches/clarke-county-hospital-data-breach/
  14. https://www.cdc.gov/coronavirus/2019-ncov/your-health/covid-by-county.html
  15. https://www.thegazette.com/state-government/personal-data-for-233000-iowa-medicaid-members-compromised-in-cyber-attack/
  16. https://www.miamiherald.com
Breach Submission Date May 17, 2023
Converted Entity Name Clarke County Hospital
Converted Entity Type Healthcare Provider
State IA
Individuals Affected 28,003
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes