The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

98,000 UT Southwestern Medical Center Patients Affected by MOVEit Cyberattack

Posted By on Jul 27, 2023

UT Southwestern Medical Center (UTSW) has recently confirmed that the protected health information of 98,437 patients was stolen in a cyberattack on May 28, 2023. The Clop ransomware group exploited a zero-day vulnerability in Progress Software’s MOVEit file transfer solution, gained access to UTSW’s MOVEit server, and exfiltrated files that contained names, medical record numbers, dates of birth, medication names, medication dosages, prescribing provider names. A subset of the affected individuals also had their Social Security numbers stolen. UTSW was notified about the attack by Progress Software on May 30, 2023, and the exploited vulnerability was immediately patched.

The German cybersecurity firm KonBriefing has recently announced that its data shows at least 455 organizations were attacked in this campaign, and at least 23 million individuals were affected. The Clop group has recently started posting victim data on its clear web data leak site.

Family Vision of Anderson Suffers Ransomware Attack

Family Vision of Anderson in South Carolina was the victim of a May 2023 ransomware attack. A ransom note was detected on its computer system on May 28, 2023, indicating files had been encrypted. Computer systems were immediately taken offline to prevent further unauthorized access, and law enforcement was notified. The US Secret Service assisted with the investigation and determined ransomware was used to encrypt files on May 21.

The attackers may have obtained files containing the information of patients and their family members, including names, dates of birth, Social Security numbers, driver’s license numbers, telephone numbers, email addresses, gender, medical record numbers, health insurance information, allergies and other medical history information, appointment dates, scheduled optometrist names, optometry prescriptions, and optometry eye scans. Security has been enhanced, and employees have been provided with further training. The breach was reported to the HHS’ Office for Civil Rights as affecting up to 62,631 individuals. Notification letters have been sent and affected individuals have been offered complimentary identity theft protection services.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

17,000 Individuals Affected by LifeWorks Wellness Center Hacking Incident

LifeWorks Wellness Center in Clearwater, FL, has recently reported a data breach to the Maine Attorney General that has affected 17,000 patients. Hackers gained access to its internal file system on or around May 20, 2023, and the forensic investigation confirmed that files containing patient data had been viewed, and may have been stolen. LifeWorks said the hackers did not gain access to its patient database, which includes medical and treatment records. The compromised servers included the information of current and former patients and employees such as names, Social Security numbers, credit card numbers, health identification codes, and medical conditions and diagnoses. LifeWorks said it has implemented additional security measures to prevent similar breaches in the future.

UC Davis Health Reports Breach of Employee Email Account

On May 24, 2023, UC Davis Health in Sacramento, CA, confirmed that the email account of an employee had been accessed by an unauthorized individual. The employee used their work email account to coordinate follow-up care for patients and the account included limited protected health information. The forensic investigation confirmed that only one email account had been compromised, and the breach was detected quickly by its IT security systems; however, it is possible that sensitive data was copied. Affected individuals have been offered complimentary credit monitoring services for 12 months and the employee concerned has received additional training on email security. The HHS’ Office for Civil Rights Breach portal indicates 3,200 individuals were affected.

Paramedic Billing Services Confirms Hackers Had Access to Patient Data

Elmhurst, IL-based Paramedic Billing Services has recently announced that it fell victim to a cyberattack in late May 2023. Suspicious activity was identified in its computer network and systems were immediately secured to prevent further unauthorized access. On June 23, 2023, Paramedic Billing Services determined that an unauthorized third party had access to systems containing protected health information and may have copied certain files from its systems. Those files included names, contact information, dates of birth, medical information, health insurance information, Social Security numbers, driver’s license/state identification numbers, financial account information, and payment card information.

The file review is ongoing, so the total number of affected individuals has yet to be established. The incident has been reported to the HHS’ Office for Civil Rights as involving at least 501 individuals. Notification letters will be sent to affected individuals when the review is completed. Paramedic Billing Services said its existing policies, processes, and procedures relating to data protection and security are being reviewed and will be enhanced.

Cardiac Monitoring Software Company Suffers Cyberattack

The Canadian cardiac monitoring software company, CardioComm Solutions Inc., has announced that it has suffered a cyberattack that has taken some of its IT systems out of operation. According to a statement released by the company, the attack has caused downtime to its services: Global Cardio 3, GEMS Flex 12, GEMS Home Flex (upload), and HeartCheck CardiBeat/GEMS Mobile ECG/RPM (record/upload). The disruption is expected to continue for several days, and potentially longer. Third-party cybersecurity experts have been engaged to investigate the attack and determine the extent to which sensitive data was involved. Customer data is not believed to have been involved, as CardioComm does not collect customer data, and its software runs on each customer’s server environment; however, employee data may have been compromised. Identity theft protection services will be offered to affected employees as a precaution.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist