Summit Pathology Laboratories, Inc., a Colorado pathology service provider, has confirmed in a breach report to the HHS’ Office for Civil Rights (OCR) that 1,813,538 patients have been affected by an April 2024 cyberattack. Summit Pathology said suspicious activity was identified within its computer environment on or around April 18, 2024, and immediate action was taken to prevent further unauthorized access. A third-party cybersecurity firm was engaged to investigate the incident and determine the nature and scope of the security breach.Summit Pathology said evidence was found that an unauthorized cybercriminal accessed or acquired files containing patient data. The file review confirmed the files contained names, addresses, dates of birth, Social Security numbers, financial information, health insurance information, billing information, and medical information, including diagnoses. According to a notice on the Summit Pathology website, ‘We will continue to mitigate the impact to consumers and care providers due to cyberattacks on the U.S. health system and Summit Pathology services, while staying dedicated to continuous improvement in protecting your information from cyberattacks.’Summit Pathology has confirmed that law enforcement was notified about the cyberattack, policies and procedures related to data security have been reviewed, and additional administrative and technical safeguards have been implemented to prevent similar attacks in the future. Credit monitoring and identity theft protection services have been offered to the affected individuals, which include a $1,000,000 identity theft insurance policy.The website breach notice does not state the nature of the incident; however, an attorney representing Summit Pathology confirmed to Information Security Media Group that the Medusa ransomware group was behind the attack and that the attack was detected shortly after an employee opened a malicious attachment in a phishing email. While the attorney did not confirm whether a ransom was paid, there is currently no listing for Summit Pathology on the Medusa data leak site. The group publicly lists the data of victims who fail to pay the ransom.A data breach of this magnitude was certain to trigger a flurry of lawsuits and affected patients and their attorneys have wasted no time taking legal action over the data breach. The first lawsuit was filed just a couple of days after individual notifications were mailed and more than half a dozen lawsuits have now been filed. That number is certain to swell over the coming days and weeks given the number of individuals affected.Summit Pathology is not the only pathology services provider to be hit with a ransomware attack this year. Across the Atlantic in the United Kingdom, [Synnovis](https://www.hipaajournal.com/care-disrupted-at-london-hospitals-due-to-ransomware-attack-on-pathology-vendor/), a provider of pathology services to the National Health Service (NHS), experienced a hugely disruptive ransomware attack in June. The attack caused massive disruption to NHS pathology services in London and led to a nationwide shortage of type O-blood supplies as the systems taken out of action prevented blood matching. The Qilin ransomware group was behind the attack and proceeded to leak 400 GB of stolen data, including records from 300 million patient interactions with the NHS.The post [Summit Pathology: 1.8 Million Individuals Affected by Ransomware Attack](https://www.hipaajournal.com/summit-pathology-data-breach/) appeared first on [The HIPAA Journal](https://www.hipaajournal.com).
Related Tags:
NAICS: 62 – Health Care And Social Assistance
NAICS: 623 – Nursing And Residential Care Facilities
NAICS: 92 – Public Administration
NAICS: 928 – National Security And International Affairs
Blog: Hipaa Journal
System Services
Phishing
Associated Indicators: