At Least 24,400 Individuals Affected by 5 Healthcare Data Breaches
Data breaches have been announced by Bankers Cooperative Group in New Jersey, Communicare in Kentucky, Spring River Mental Health & Wellness in Kansas, OU Medicine in Oklahoma, and Behavioral Health Resources in Washington.
Bankers Cooperative Group
Bankers Cooperative Group, a New Jersey-based liability risk broker and provider of employee benefit programs to the banking industry, has discovered unauthorized access to an employee’s email account. The security incident was detected on August 13, 2024, and the account was immediately disabled. Computer forensics experts were engaged to determine the nature of the activity, how access to the account was gained, and whether any sensitive data was viewed or copied.
The forensic investigation confirmed on August 28, 2024, that some of the emails in the account could have been accessed in the incident. The email account was reviewed, and it was confirmed on November 15, 2024, that some of the emails contained personal and protected health information but it was not possible to tell whether any of those emails were accessed or copied. The delay in issuing notification letters was due to the time taken to identify the affected individuals, associate them with their respective employers, and obtain current mailing addresses. The affected companies were notified about the security breach on December 13, 2024. Employees of the following entities had their data exposed in the incident:
| Academy House | Comprehensive Cancer and Hematology Specialists | NVE Bank |
| Amboy Bank | Crest Savings Bank | Peapack-Gladstone Bank |
| Ascendia Bank | DP Property Management | Somerset Regal Bank |
| BCB Bank | Five Rivers Bank | Sturdy Savings Bank |
| Bogota Savings Bank | Franklin Savings Bank | Union County Savings Bank |
| Children’s Aid and Family Services, Inc. | Haven Savings Bank | United Roosevelt Savings Bank |
| Columbia Bank | Mast Construction Services, Inc. | Village Office Supply |
The affected individuals have been offered complimentary credit monitoring and identity theft protection services. When notification letters were mailed to the affected individuals, no misuse of the exposed data had been detected.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Inlet Health (Communicare)
Inlet Health, dba as Communicare, a provider of behavioral health, developmental disabilities, and substance abuse services in Kentucky, has notified 3,771 patients about a November 2024 security incident that exposed their personal and protected health information.
Unusual activity was identified within some of its IT systems on November 23, 2024. The forensic investigation confirmed there had been unauthorized access to its network for a short period on November 23. Despite the short window of opportunity, files were exfiltrated from those systems. The types of information stolen in the incident varied from individual to individual and may have included names plus one or more of the following: Social Security number, date of birth, driver’s license number, state-issued identification number, passport number, military identification number, financial account information, medical information, and health insurance information. Law enforcement was notified about the security incident and steps were taken to secure its network and strengthen defenses. At the time of issuing notification letters, no misuse of the affected data had been detected.
OU Medicine
OU Medicine in Oklahoma has confirmed that an unauthorized third party accessed two employee email accounts that contained personal and protected health information. The unauthorized access was detected by OU Medicine on or around October 18, 2024, and immediate action was taken to secure the accounts to prevent further unauthorized access. Third-party cybersecurity professionals assisted with the investigation, securing the network, and determining whether any sensitive data was viewed or acquired.
On November 18, 2024, OU Medicine learned that files containing personal information were present in the account and many have been viewed or acquired. Those files contained full names plus one or more of the following: date of birth, date of medical service, diagnosis, diagnosis code, lab results, procedure type, provider name, health insurance policy number, medical history, treatment information, treatment location, mental or physical condition, medical record number, billing/claim information, prescription information, and Social Security number.
All affected individuals have been notified and individuals who had their Social Security numbers exposed have been offered complimentary credit monitoring services. Email security and internal controls have been enhanced to prevent similar incidents in the future. The breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 2,537 individuals.
Spring River Mental Health & Wellness
Spring River Mental Health & Wellness in Kansas has alerted 3,250 individuals about a recent cyberattack. The attack was detected on November 26, 2024, when technical issues were discovered in its network. The statement issued about the security incident provides scant information, only stating that certain data may have been accessed or acquired without authorization and the incident is still under investigation to determine what types of information may have been acquired. The phraseology used in the statement suggests a ransomware attack.
Behavioral Health Resources
Behavioral Health Resources, a provider of mental health and substance use disorder treatment services in Washington State, has reported a hacking/IT incident to the HHS’ Office for Civil Rights that involved the protected health information of at least 501 individuals. The incident is still under investigation to determine which individuals have been affected. It has been confirmed that the hacker was able to access information such as names, contact information, Social Security numbers, photos, biometric data, medical information, health insurance information, and financial information.
Update: April 22, 2025
Further information has been released about the data breach, and the Maine Attorney General has been notified that 50,083 individuals have been affected. The updated notice confirms the types of data compromised in the incident, which includes full names (including maiden name), addresses, dates of birth, Social Security numbers, telephone/fax numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, biometric and/or genetic data, full face photographic images, birth and/or marriage certificates, tribal IDs, government-issued IDs, taxpayer identification numbers, electronic/digital signatures, financial institution names, medical billing information, medical information (including diagnosis and/or condition information, treatment information, lab results, provider name, physician, patient ID, medication information, admission date, discharge date, treatment cost information, and date of death), other health-related information and incidental health references, and health insurance information.
