Unlimited Care and Nonstop Administration and Insurance Services Confirm PHI Exposure
The White Plains, NY-based home healthcare provider, Unlimited Care Inc., was the victim of a cyberattack that caused disruption to its network on February 16, 2023. Unlimited Care engaged a third-party cybersecurity firm to assist with the investigation and determine the nature and scope of the incident. The investigation is ongoing, but around March 21, 2023, it was determined that unauthorized individuals had access to parts of its network that contained sensitive data, and that information may have been viewed or acquired by the attackers.
The information confirmed as exposed includes employee names, addresses, birth dates, and Social Security numbers. The breach was reported to the Maine Attorney General as affecting up to 29,066 individuals. Complimentary identity theft protection services have been offered to those individuals. The breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 8,453 individuals.
Unlimited Care said it initiated a global password reset, has deployed the Carbon Black endpoint detection and response tool, has initiated geo-fencing for non-U.S. emails, prevented all non-U.S. IP address connections, has upgraded its AV software, and will be limiting access to the VPN to essential staff.
Nonstop Administration and Insurance Services Reports Unauthorized Data Access
Nonstop Administration and Insurance Services (NAIS), an administrator of health insurance benefits for employer groups, has recently announced that the protected health information of employees of its clients has been exposed. NAIS was contacted by an unknown party on December 22, 2022, who claimed to have accessed company data. An investigation was launched to verify the authenticity of the claim and it was determined that, for a limited time on December 22, 2022, an unauthorized individual had access to a cloud services platform that contained the data of client employees.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The data accessible varied from individual to individual and may have included name, date of birth, gender, address, email address, phone number, Social Security number, medical treatment/diagnosis information, and health insurance provider, claims, and billing information. Complimentary credit monitoring and identity theft protection services have been offered to affected individuals. The breach was reported to the HHS’ Office for Civil Rights as affecting up to 8,571 individuals.
Lehigh Valley Health Network Provides Further Information on February BlackCat Ransomware Attack
Lehigh Valley Health Network (LVHN) recently explained in a court filing that it was the victim of a BlackCat ransomware attack in February 2023 and the attackers gained access to patient information, including sensitive photographs of up to 2,760 patients.
LVHN confirmed that data was exfiltrated in the attack and a ransom demand of $5 million was issued, payment of which was required to prevent the publication of the stolen data. LVHN refused to pay the ransom and sensitive data was then leaked on the dark web, including patient photographs. The attack targeted the network supporting Delta Medix, which was acquired by LVHN in 2021.
The information was disclosed in a notice transferring a class action lawsuit against LVHN from the Lackawanna County Court to the U.S. District Court. The investigation into the attack is ongoing and LVHN is still trying to identify all affected individuals but has so far confirmed that the photographs of 2,760 patients have been obtained by the attackers. The photographs were clinically appropriate and included naked images of patients from the waist up.
