Data Breaches Reported by Lakeshore Bone & Joint Institute and Putnam County Memorial Hospital
Lakeshore Bone & Joint Institute, an orthopedic practice in Indiana, has experienced a breach of its Microsoft Office 365 environment, which included emails and attachments that contained the protected health information of certain patients.
Unusual activity was detected in an employee email account on July 7, 2021. Steps were immediately taken to prevent further unauthorized access and a cybersecurity and digital forensic firm was retained to investigate the breach and assist with remediation efforts.
The breach investigation confirmed that an unauthorized individual had gained access to a single employee email account. A review of the account was completed on October 21, 2021, and revealed the following types of patient information may have been viewed or acquired in the attack:
Date of birth, treatment information, diagnosis, provider name, MRN/patient ID, health insurance information, treatment cost information, and, for certain individuals, Social Security numbers.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Individuals whose Social Security numbers were potentially compromised have been offered a 12-month membership to identity theft monitoring services at no cost.
The breach report submitted to the Maine attorney general indicates 23,627 individuals have potentially been affected by the breach.
PHI Potentially Compromised in Putnam County Memorial Hospital Ransomware Attack
Putnam County Memorial Hospital in Unionville, MO, has started notifying 6,916 individuals about a July 2021 cyberattack in which protected health information was potentially compromised.
The attack was detected on July 18, 2021, when the staff was prevented from accessing ceratin computer systems and files. A forensic investigation confirmed an unauthorized individual had gained access to its network at some point between July 16 and July 18, deployed a variety of network reconnaissance tools to identify systems and data of interest, then used ransomware to encrypt files.
The forensic investigation confirmed the parts of the network accessed by the attacker included patient and employee data including names, addresses, Social Security numbers, physician-patient assessments and records, patient authorizations, and lab and radiology reports. Financial information is not believed to have been compromised.
Following the breach, new security measures were implemented to better protect patient data. Complimentary credit monitoring services have been offered to affected individuals for 12 months at no cost. Those services include darknet and clearnet monitoring, quick cash scan, fraud consultation and identity theft restoration services, and identity theft insurance.
