Carthage Area Hospital, Claxton-Hepburn Medical Center, and North Country Orthopaedic Group cybersecurity incident update


CARTHAGE, NY — As our administration and IT teams complete our second full week of system stabilization following the cybersecurity incident of August 31, significant progress has been made to return to nearly our full complement of healthcare services at Carthage Area Hospital, Claxton-Hepburn Medical Center, and North Country Orthopaedic Group.

As of today, the emergency departments at both hospital locations continue to operate without any impact. All dialysis, cancer treatment and wound care services are fully operational.

Radiology and lab services have been restored. Some scheduled appointments with our outpatient services are being rescheduled. We are contacting impacted patients directly but recommend calling ahead of any appointment to confirm.

During our work to improve our existing security systems we learned that some of our employees received unwanted messages believed to be from the alleged cybercriminals.

Our employees reported the incident to our IT department, which allowed us to quickly investigate the content and source of the e-mail. That investigation continues today. We also understand that a similar message was posted on social media Thursday. We have referred that to law enforcement, and they are investigating.

At this stage we have indications that some patient and employee records may have been accessed, and we are still investigating to what extent. Any patient or employee whose information may have been compromised will be contacted to the best of our ability, and a series of specific steps will be taken to provide additional protection.

“Your privacy is our priority,” said Carthage Area Hospital and Claxton-Hepburn CEO Rich Duvall. “An attack on our healthcare system is an attack on our community. We continue to take every step possible to protect the privacy and security of our employees, patients, and partners and we apologize for any inconvenience.”

Just as we have asked our employees to be alert for any suspicious activity, we’ll ask the same of our community. The US Department of Health and Human Services and the American Hospital Association recommend a series of best practices for awareness surrounding any cybersecurity incident:

● Avoid phishing emails and other social engineering attacks. Phishing emails are
fraudulent messages that pretend to be from legitimate sources, such as your bank, your boss, or your colleague. They may ask you to provide sensitive information, click on a malicious link, or open a malicious attachment. These actions can compromise your security or infect your device with malware. To avoid phishing emails, you should always check the sender’s address, the message’s content, and the link’s destination before responding or clicking .

● Use strong and unique passwords for each of your accounts. A strong password is one that is long, complex, and hard to guess. A unique password is one that is not used for any other account.

● Lock your devices when not in use. This means using a password, a PIN, a fingerprint, or a face recognition feature to secure your device from unauthorized access. This can prevent someone from accessing your data or tampering with your settings if you leave your device unattended or lose it.

Any suspicious activity or incident should be reported directly to law enforcement. We continue to work directly with the FBI, The New York State Department of Health, and the Department of Homeland Security and Emergency Services.

Once again, we thank you for your patience and we will continue to provide updates as our efforts continue.


News release