- Seymour, Indiana-based Schneck Medical Center has reached a $250,000 settlement with the state after regulators sued the hospital over a 2021 data breach that exposed the personal health information of nearly 90,000 residents.
- Indiana alleged the hospital knew about “critical security issues” before the breach, according to the lawsuit. It also argued Schneck failed to directly notify patients for more than 200 days after the hospital first discovered the breach, and didn’t immediately disclose the risk of exposure of personal health information or encourage patients to take precautions.
- The medical center said it is making “numerous efforts” to bolster existing safeguards and introduce additional measures to prevent future attacks in a statement shared with Healthcare Dive.
Schneck, which serves four counties in southeast Indiana, was hit by a ransomware attack in late September 2021, according to the state’s lawsuit. The attack exposed personal health information that included full names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account information, payment card information, medical diagnoses and health insurance information.
The state alleged that the medical center knew about security issues that contributed to the breach after a HIPAA risk analysis was completed in late 2020, yet the center had still “knowingly failed to implement and maintain reasonable security practices” to protect patients’ personal data.
Indiana also said Schneck didn’t disclose that the breach involved personal health information or directly notify patients until May 2022 — more than 200 days after the hospital first discovered the breach in November.
The hospital also misrepresented when it discovered the breach in the notice posted in May, saying that it found the breach in March 2022, the state alleged.
Data breaches have become increasingly common in the healthcare sector over the past decade, exposing 385 million patient records from 2010 to 2022, according to federal records.
The industry is particularly vulnerable to cyberattacks due to high-value data alongside weaker threat mitigation, made worse by burnout and staff shortages that increased during the COVID-19 pandemic.
Ransomware, where criminals demand payment in exchange for returned access to critical systems, is a serious risk for health systems and patients, as they can disrupt care and shut down facilities.