25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Hacking Incidents Reported by Retinal Consultants Medical Group, Three Rivers Regional Commission, & ACE Surgical Supply

Posted By on Nov 25, 2021

Retinal Consultants Medical Group, ACE Surgical Supply, and Three Rivers Regional Commission have recently reported cyberattacks in which the protected health information of patients may have been obtained by unauthorized individuals.

Retinal Consultants Medical Group Hacking Incident Affects 11,603 Patients

Vitreo-Retinal Medical Group Inc., dba Retinal Consultants Medical Group, says it was the victim of a sophisticated cyberattack that was detected on or around July 12, 2021, and caused service disruption.

Vitreo-Retinal Medical Group engaged third-party cybersecurity consultants to help restore its systems and investigate the nature and scope of the attack. While the investigation confirmed unauthorized individuals had gained access to its computer network, it was not possible to tell if any protected health information was accessed or exfiltrated, although no reports have been received that suggest actual or attempted misuse of patient data.

A comprehensive manual and programmatic review of the affected systems confirmed the following types of protected health information had potentially been compromised: name, address, date of birth, medical condition or treatment information, medical record number, diagnosis code, patient account number, Medicare/Medicaid information, treating physician name, health insurance information, and username/password. A limited number of Social Security numbers were also stored on the affected systems.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Vitreo-Retinal Medical Group says third-party cybersecurity experts have been assisting with a review of its security systems and additional measures will be implemented, as appropriate, to improve data security.

Affected individuals started to be notified on November 9, 2021, and complimentary credit monitoring services have been made available where required.

12,122 Individuals Affected by Cyberattack on ACE Surgical Supply

Brockton, MA-based ACE Surgical Supply has discovered its IT environment was accessed by an unauthorized individual who may have viewed or obtained the protected health information of 12,122 individuals.

Its systems were accessed on June 29, 2021, and the breach was detected the same day. The investigation confirmed the affected systems contained personal information along with financial account numbers, debit/credit card information, and information that could potentially allow accounts to be accessed.

ACE Surgical Supply said affected individuals have been offered credit monitoring and identity theft protection services for 24 months at no cost.

Three Rivers Regional Commission Ransomware Attack Impacts 2,000 Patients

The Griffin, GA-based regional planning organization, Three Rivers Regional Commission, has discovered the protected health information of around 2,000 individuals may have been obtained by unauthorized individuals in a ransomware attack.

The attack was detected on July 20, 2021, when employees were prevented from accessing its computer systems. Assisted by third-party cybersecurity experts, Three Rivers Regional Commission determined the attacker gained access to its systems between July 18, 2021 and July 20, 2021 and prior to the use of ransomware, exfiltrated files containing sensitive data.

The forensic investigation is ongoing and notification letters will be sent to affected individuals when their identities and contact information have been determined. At this stage, the following types of information are believed to have been obtained in the attack: Name, address, driver’s license number, Social Security number, and medical information, including diagnosis and treatment information, lab test results, medications, and Medicare/Medicaid identification numbers.

Three Rivers Regional Commission said it is implementing additional administrative and technical safeguards to further secure the information in its systems.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist