California payer, Kentucky health system among latest cybersecurity victims

an open lock

Cybersecurity issues continue to plague the healthcare industry, with the latest victims a California-based health plan as well as a health system comprising 11 hospitals in West Virginia and Kentucky.

SCAN Health Plan, located in Long Beach, California, announced last Friday that consumer information on contact sheets had been accessed without authorization. Overall, 87,000 individuals were impacted, SCAN spokesman Ross Goldberg told FierceHealthIT, fewer than half of whom were health plan members. Some of those impacted may simply have inquired about SCAN Health Plan, according to Goldberg.

Nancy Monk, chief administrative officer with SCAN, told FierceHealthIT that “legitimate” employee credentials were used to access the database for an unauthorized purpose. While the company believes the breach was internal, it has yet to narrow down the culpable parties.

“To the extent that the investigation produces sufficient information, we will pursue legal action,” Monk said. “What we’re really focused on is answering calls from our members and our potential customers that have called us in the past and really trying to help them work through their concerns related to” the breach.

Information exposed includes names, addresses and phone numbers; for some, it also includes birth date and “limited health notes,” such as doctor name, health condition or medication name. Goldberg also said that fewer than 500 Social Security numbers were potentially exposed.

SCAN learned of the breach, which occurred between March and June of this year, on June 27; it began sending letters to those exposed last week. The health plan is offering free identity protection services to those impacted for one year.

At Appalachian Regional Healthcare (ARH), meanwhile, hackers on Aug. 27, planted a computer virus in the provider’s electronic web-based services and electronic communications, according to The Register-Herald.

In a statement posted Aug. 29 to the health system’s website, ARH Vice President of Medical Affairs Maria Braman said that all patient care, registration, medication, imaging and lab services are being handled manually. According to The Register-Herald, such services have been manual since Saturday.

All patients, she said, should bring prescribed medications and medical history information with them when visiting ARH physician practices or emergency departments.

“We can assure all ARH patients and our communities that all of our facilities and services remain open as normal, including our emergency departments, and patients will continue to receive care in a safe and secure environment,” Braman said.