1.8 Million Individuals Impacted by Ransomware Attack on Summit Pathology

November 10, 2024HIPAA News0

Summit Pathology Laboratories, Inc. based in Colorado reported a data breach to the HHS’ Office for Civil Rights (OCR). There were 1,813,538 patients impacted by the cyberattack on the pathology services provider in April 2024. Summit Pathology reported suspicious activity noticed in its computer system on or about April 18, 2024, and took quick action to stop continuing unauthorized access. A third-party cybersecurity company investigated the attack to find out the nature and extent of the data breach.

Summit Pathology got evidence that confirmed the unauthorized access by a cybercriminal or extraction of files with patient information. The file analysis showed the files included names, addresses, birth dates, financial data, Social Security numbers, billing details, medical insurance data, and medical data like diagnoses. Based on a notice published on the Summit Pathology website, the lab is addressing the effect of cyberattacks on consumers and healthcare companies. The company is also continuing to improve defenses against cyberattacks to secure data.

Summit Pathology has mentioned that it has notified law enforcement regarding the cyberattack. It has reviewed current guidelines and procedures associated with data security and implemented extra administrative and technical safety measures to avoid identical attacks later on. Credit monitoring and identity theft protection services were provided to the impacted persons, including a $1,000,000 identity theft insurance plan.

There is no mention in the Summit Pathology website breach notice about the nature of the attack. However, a lawyer representing Summit Pathology told the Information Security Media Group that the Medusa ransomware group conducted the attack, which was discovered soon after a worker viewed a malicious file that came with a phishing email. The lawyer didn’t say Summit Pathology gave any ransom payment, but the provider is still not listed on the Medusa data leak website. It is well-known that the group lists the information of victims on its data leak site when they don’t meet the ransom demand.

With a big data breach like this, it is expected to have lawsuits filed by the affected patients and their lawyers did not waste any time filing the cases involving the data breach. A few days after mailing the individual notifications, the first lawsuit was filed and more than 6 lawsuits followed after that. Over the coming days and weeks, the number of lawsuits is sure to increase with the number of people impacted.

Other pathology service providers had encountered a ransomware attack this year. Aside from Summit Pathology, Synnovis in the United Kingdom, a pathology services provider to the National Health Service (NHS), encountered a very disruptive ransomware attack in June 2024. The attack disrupted the NHS pathology services in London and triggered a countrywide scarcity of type O blood supplies because the systems were not available for blood matching. The attack was conducted by the Qilin ransomware group and involved the exposure of 400 GB of stolen information, which contains the information of 300 million patient communications with the NHS.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2024 ComplianceHome. All rights reserved.