5 Security Breaches Reported in Which PHI was Potentially Compromised

Patient Information Potentially Compromised in Atrium Health Phishing Attack

A phishing incident has been reported by Charlotte, NC-based Atrium Health that exposed the protected health information of 6,695 patients who used its home health service, Atrium Health at Home. On April 7, 2022, an employee responded to a phishing email and disclosed credentials for an email and messaging account. The breach was detected on April 8 and the unauthorized access was immediately blocked.

Between April 7 and April 8, the unauthorized third party used the account to send other phishing emails, which suggests that obtaining patient information stored in the account was not the aim of the attack, although it was not possible to determine if any patient information was viewed or obtained.

A review of the emails, messages and attachments in the account revealed they contained patients’ full names, home addresses, birth dates, health insurance information, and medical information (such as medical record number, dates of service, provider and facility and/or diagnosis and treatment information). A limited number of individuals also had their Social Security numbers, driver’s license/state ID numbers, and/or financial account information exposed. Atrium Health said there have been no reported cases of misuse of patient data.

Affected individuals have been notified and complimentary credit monitoring and identity theft protection services have been offered to individuals who had either their Social Security number, driver’s license number, or financial account information exposed. Security controls have been enhanced and Atrium Health said it will continue to provide regular phishing training to the workforce.

Please see the HIPAA Journal Privacy Policy

Patient Data Stolen in Ransomware Attack on Heartland Healthcare Services

Heartland Healthcare Services in Toledo, OH, a HCR-ManorCare- and CVS HealthCVS-owned pharmacy, has confirmed that files containing patient data were exfiltrated from its network in an April 2022 ransomware attack. The attack was detected on April 11 when the staff was prevented from accessing files on the network.

Heartland Healthcare Services said a ransom demand was issued, but after consulting the Federal Bureau of Investigation, the decision was taken not to pay the ransom demand. Some of the data stolen in the attack has since been uploaded to the ransomware gang’s dark web data leak site.

An analysis of the affected files confirmed they contained the protected health information of 2,763 patients who had received medications through Heartland Healthcare Services, including Heartland Pharmacy of Pennsylvania, Heartland Pharmacy of Maryland, or Heartland Pharmacy of Illinois. The stolen data included names, addresses, telephone numbers, medication names, and other medication-related information.

Heartland Healthcare Services said it has strengthened its security measures to prevent similar attacks in the future.

Acorda Therapeutics Reports Breach of its Email Environment

The Ardsley, NY-based biotechnology company, Acorda Therapeutics, has discovered an unauthorized third party gained access to its email environment and potentially viewed emails and attachments containing patient data. The email account breach was detected in January 2022, and the forensic investigation confirmed that certain email accounts had been compromised on or around December 15, 2021.

The review of the affected email accounts was completed on April 27, 2022, then Acorda Therapeutics verified the contact information of affected patients, and notification letters were sent to affected individuals in May and June 2022. The types of information potentially accessed included names in combination with one or more of the following: date of birth, medical record number, diagnosis information, treatment information, clinical information, prescription information, Social Security number, financial account information, insurance provider, and/or treatment cost information.

Acorda Therapeutics said steps have been taken to improve email security to prevent similar breaches in the future. The incident has yet to appear on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected.

PHI of 6,200 TridentCare Patients Potentially Accessed in Break-in

The Maryland-based mobile clinical services provider, TridentCare, announced on June 16, 2022, that the personal and protected health information of clients and their guarantors may have been accessed by unauthorized individuals during a break-in at its facilities. The data was stored on physical hard drives in the facility. Third-party cybersecurity experts were engaged to assess whether patient data had been accessed and concluded that there was “a significant possibility that data on the hard drives would have been corrupted,” which would have rendered the data unreadable. If that had not happened, in order to read the data, individuals would have had to have “certain technical capabilities.”

A review of the hard drives confirmed they contained the protected health information of 6,200 individuals. For most individuals, the data on the hard drives consisted of names and dates of birth, and for some individuals, name, date of birth, and Social Security number. Other potentially sensitive information such as financial records or details relating to medical tests is not believed to have been compromised.

Avamere Health Services Says PHI Stolen in Hacking Incident

Wilsonville, OR-based Avamere Health Services has discovered an unauthorized third party had intermittently accessed its network between January 19, 2022, and March 17, 2022. The forensic investigation confirmed on May 18, 2022, that certain files and folders had been copied from its systems during that period, and some of those files contained patients’ protected health information.

Avamere Health Services has not publicly announced the types of information compromised in the breach, and that information has been redacted from the breach notice submitted to the Vermont Attorney General. Avamere Health Services has said that affected individuals have now been notified by mail and informed about the types of information that was exposed. Complimentary credit monitoring and identity theft protection and resolution services have been offered.

The incident has yet to appear on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.