Security Incident Drives Sonoma Valley Hospital to EHR Downtime

California-based Sonoma Valley Hospital is currently recovering from a security incident and operating under EHR downtime procedures; a hacking incident, phishing attack, and another Blackbaud breach victim complete this week’s breach roundup.

October 27, 2020 - Sonoma Valley Hospital in California is currently operating under EHR downtime procedures after falling victim to a security incident two weeks ago on October 11.

The incident joins a host of similar EHR downtime procedures in recent weeks, caused by various IT disruptions, security incidents, and ransomware attacks, including security events at Universal Health Services, Dickinson County Healthcare System in Michigan, and at least three other covered entities.

Calling it a significant downtime event, the security system affected all of Sonoma Valley Hospital’s computer systems. Officials said they have been able to maintain operations and patient care by leveraging the hospital’s business continuity plan, while the IT team works on fully restoring affected systems.

Further, the hospital has been able to maintain necessary surgeries and elective procedures despite the security incident, while the majority of diagnostics have continued without interruption. Officials said that while the patient portal has remained available, no new results have been posted since the attack was launched on October 11.

“The Hospital immediately initiated an investigation,” officials said in a statement. “We’ve partnered with outside experts to help us investigate and remedy this incident. We will provide updates as the investigation progresses.” 

It’s currently unclear just what caused the security incident or whether it’s ransomware. On average, incidents caused by ransomware spur about 15 days of EHR downtime, though it took UHS more than three weeks to fully recover from its ransomware attack.

Earlier this month, SoutheastHEALTH stopped a massive cyberattack that included a high volume of internet traffic on the computer’s mainframe, according to local news outlet Southeast Missourian.

The computer network was shut down for a number of days to prevent the hackers from gaining access to the network, which could have disrupted the provider’s email and internet channels. SoutheastHEALTH maintained patient care by leveraging EHR downtime procedures and diverting potential emergency department patients to “alleviate the burden on staff.”

The systems were brought back online about two days after the attack, and once the IT staff was able to confirm the system was free of the attackers. Officials said the EHR and its patient records were not affected in the attack, as the platform is hosted remotely by Cerner. The IT team is continuing to investigate the source and scope of the attack.


Buffalo-based BryLin Behavioral Health System is notifying an undisclosed number of patients that their data was potentially compromised after a five-day cyberattack in August.

On August 19, officials said they discovered unusual network activity and worked to secure the network. The investigation determined a cybersecurity incident first began five days earlier on August 14, which also impacted some documents stored on BryLin’s systems.

BryLin then performed a comprehensive review of all documents involved in the incident, which found some sensitive patient information was involved, such as names, contact details, treatments, and or clinical data. For some patients, Social Security numbers and health insurance information was identified in the compromised documents.

The attack was contained to BryLin Hospital data, and no BryLin outpatient clinic data was affected by the event. Officials said they’re continuing to audit their systems for potential unauthorized activity and implemented additional measures to enhance its security. 


The Georgia Department of Human Services recently notified 45,732 patients that their data was impacted by a phishing attack that gave hackers access to several employee email accounts for 12 days in May.

The investigation determined the attacks occurred between May 3 and May 15. DHS worked with the Georgia Technology Authority to resolve the issue, including taking immediate action to lock all compromised accounts and block the malicious threat actors.

Several months later, the DHS team determined a hacker was able to retain some emails that contained personally identifiable information and protected health information of children and adults who received services from Child Protective Services.

DHS examined the emails and began to identify the impacted individuals on September 21. It’s important to note that under HIPAA, breach notifications must be disclosed just 60 days after a breach of patient information is discovered.

The compromised data varies by patients but could include the names of children and members of their household, Medicaid and Medicaid insurance identification numbers, provider names, appointment dates, case numbers, and a host of other sensitive information, including Social Security numbers.

For 12 individuals, the hacker gained access to psychological reports, counseling notes, medical diagnoses, or substance abuse information. 

In response, Georgia DHS is implementing identity and access management options to bolster its security and prevent a recurrence. 


An undisclosed number of patients and individuals tied to the OSF HealthCare System in Illinois have been added to the tally of victims impacted by the massive Blackbaud hack that has already claimed more than 10 million individuals from the healthcare sector alone.

Blackbaud is a third-party cloud vendor for nonprofits, foundations, corporations, education institutions, healthcare entities, and change agents.  

In mid-August, Blackbaud began notifying some clients that it had fallen victim to a ransomware attack, which led to the hackers exfiltrating data prior to launching the final payload. The cyberattack began on its self-hosed environment on February 7 but was not discovered by the vendor until May 20.

The threat actors were able to steal the sensitive information of donors, potential donors, patients, community members with relationships with the entity, and other individuals tied to the impacted organizations. The vendor paid the ransom demand to ensure the data was returned with the hackers promising to destroy the stolen data.

Initially, Blackbaud stressed that only a small amount of sensitive information was hacked during the incident, but later confirmed in an Securities and Exchange Commission filing that some Social Security numbers and other personal data was compromised during the event.

OSF concluded its investigation and review of the impacted Blackbaud database on August 20, confirming the compromised data included some patient information, such as names, contact details including email addresses, dates of birth, treatment facilities, treating providers, departments of service, room numbers, and or medical records.

Blackbaud advised OSF that SSNs, financial account details, and credit cares were encrypted, and therefore, hackers could not access the data. Currently, OSF is assessing Blackbaud’s security safeguards and evaluating the data elements stored on Blackbaud’s systems.

The Blackbaud breach tally continues to climb, making it the largest healthcare data breach this year, by far. At least 10 lawsuits have been filed against the vendor so far, with the impacted individuals arguing that had the vendor “properly monitored their networks, security, and communications, they would have prevented the data breach or would have discovered it sooner.”

By Jessica Davis

Health IT Security

7 views0 comments