The Cancer Center of Hawaii in Oahu encountered a ransomware attack on November 5, 2019. The Cancer Center was compelled to power down its network servers because of the attack. That meant temporarily not providing radiation treatment to patients at St. Francis’ hospital in Liliha and Pali Momi Medical Center.
Although patient services suffered some interruption, the center believes that the attackers did not access any patient information. The breach investigation is still in progress, but all information saved on the radiology machines were recovered. The network is likewise completely operational now.
It is not known how long the network was shut down and up to now, there’s still no information released regarding the types of patient data potentially compromised.
The Cancer Center already informed the FBI regarding the breach. In case the forensic investigators affirm that hackers may have accessed patient information, the center will also submit an incident report to the proper authorities.
Only the Cancer Center’s systems were affected by the breach. The attack did not have any impact on Pali Momi Medical Center and St. Francis’ hospital because their patient information and systems are separated from the Cancer Center.
Improper Disposal Incident at Zuckerberg San Francisco General Hospital
Zuckerberg San Francisco General Hospital notified 1,174 patients that the meal tickets that contain their protected health information (PHI) were disposed of improperly.
The PHI contained in meal tickets includes patients’ full names, birth month, their bed/unit in the hospital, dietary details, and their menu. The proper way to dispose of the tickets is to throw them in confidential waste bins. However, the tickets were unintentionally disposed of together with the regular garbage.
The breach happened because an employee did not know that the meal tickets should be shredded first. The San Francisco Department of Health knew about the incident of improper disposal on November 15, 2019. The employee had discarded meal tickets in the wrong way from June 18 until November 4. After the discovery of the breach, the employee was instructed to follow the correct procedures in disposing of sensitive information.