5 HIPAA-Regulated Entities Announced Hacking Incidents that Exposed PHI

PHI of Almost 69,000 Individuals Compromised in Hacking Incident at Comstar

Comstar, a Rowley, MA-based provider of ambulance billing, collection, ePCR Hosting, and client/patient services, has discovered an unauthorized third-party gained access to some of its servers which housed files that contained individuals’ personally identifiable and protected health information. Some of those files were confirmed as having been viewed.

The substitute breach notice did not state when the breach occurred, but it was detected on or around March 26, 2022. A review of the affected files confirmed they contained information such as names, dates of birth, medical assessment and medication information, health insurance information, and Social Security numbers. Comstar said it already had strict security measures in place, a review has been conducted of its policies and procedures relating to data security, and measures will be taken to further protect against similar incidents in the future. No evidence of data theft or misuse of individuals’ information was identified; however, as a precaution, complimentary credit monitoring and identity theft protection services are being offered.

The breach was reported to the HHS’ Office for Civil Rights as affecting 68,957 individuals.

DialAmerica Marketing Data Breach Affects Almost 20,000 Individuals

The New Jersey HIPAA business associate, DialAmerica Marketing, which provides telemarketing services for almost a quarter of the leading health plan providers in the United States, has confirmed it was the victim of a hacking incident that saw unauthorized individuals gain access to its network on July 4, 2021. The forensic investigation of the security breach determined that its network was compromised between February 2, 2021, and July 9, 2021, and during that time period, the protected health information of individuals may have been viewed or stolen. The review of the affected files was completed on February 4, 2022, and confirmed that names, addresses, and other (unspecified) data may have been compromised.

The breach was reported to the HHS’ Office for Civil Rights as affecting 19,796 individuals.

Express Scripts’ Customer Accounts Accessed by Unauthorized Third Party

The pharmacy benefit management organization, Express Scripts, has announced that the accounts of certain customers have been accessed by an unauthorized third party. In a breach notification to the Massachusetts Attorney General, Express Scripts explained that certain  Express Scripts mobile application accounts were accessed without authorization using a correct username and password.

The suspicious activity was detected on May 1, 2022, with the account breaches determined to have occurred between April 30 and May 3, 2022. Information in the accounts that may have been viewed included names, medication names, prescription numbers, medication dosage, prescribing physicians’ names, and the names of pharmacies.

When the security breach was detected, affected accounts were locked and passwords were reset. Incidents such as this are commonly the result of password spraying – the use of breached usernames and passwords to access totally unrelated accounts. These attacks are made possible due to password reuse on multiple platforms. Express Scripts has recommended that affected individuals change their passwords on all other accounts that share the same password.

It is currently unclear how many individuals have been affected.

Alliance Physical Therapy Partners Announces Hacking Incident

Grand Rapids Charter Township, MI-based Alliance Physical Therapy Partners, formerly Agility Health, has confirmed that an unauthorized third party accessed certain systems within its network that contained patients’ protected health information. The breach was detected on December 27, 2021, and it was determined on January 7, 2022, that patient data had been compromised. The unauthorized access occurred between December 23, 2021 and December 27, 2021. A comprehensive review of all potentially affected files was completed on April 19, 2022.

Alliance Physical Therapy Partners said policies and procedures have been reviewed and additional cybersecurity safeguards have been implemented.

The breach has yet to appear on the HHS’ Office for Civil Rights website, so it is currently unclear how many patients have been affected.

Hacking Incident Reported by 90 Degree Benefits Minnesota

90 Degree Benefits Minnesota has announced it suffered a data security incident on February 27, 2022, which affected some of its IT systems. 90 Degree said the forensic investigation was unable to confirm whether personal information was viewed or acquired and there have been no reports of attempted or actual misuse of personal information; however, unauthorized access and data theft could not be ruled out.

The review of the affected files confirmed they contained names, dates of birth, Social Security numbers, phone numbers, addresses, and health information. 90 Degree said security measures have been enhanced to prevent similar incidents in the future. Affected individuals were notified on June 9, 2022, and have been offered complimentary credit monitoring and identity theft protection services.

The breach has yet to appear on the HHS’ Office for Civil Rights website, so it is currently unclear how many patients have been affected.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.