Healthcare Data Potentially Compromised in 5 Hacking Incidents
NYSARC Columbia County Chapter Notifies Individuals About July 2022 Ransomware Attack
NYSARC Columbia County Chapter (COARC) has started notifying certain individuals that some of their protected health information has potentially been obtained by unauthorized individuals in a July 2022 ransomware attack. According to the notifications, suspicious activity was detected within its network on July 19, 2022, that was consistent with a ransomware attack. Steps were immediately taken to contain the incident and an investigation was launched, which confirmed that the attacker had access to certain COARC systems for a limited period in July.
The attack appears to have been conducted with the sole purpose of encrypting data for extortion purposes. It is not known if data exfiltration occurred but it could not be ruled out. COARC did not say if the ransom was paid. COARC said the types of information involved included names and one or more of the following: address, social security number, financial account, credit card information, medical information, student information, driver’s license, and passport number. No evidence of misuse of that information has been detected in the 9 months from the discovery of the breach to issuing notifications on April 28, 2023. COARC said additional security protocols have been implemented to better protect its network, email environment, and other systems from future attacks.
The breach has been reported to the HHS’ Office for Civil Rights as affecting 5,701 individuals.
Network Security Incident at Petaluma Health Center
Petaluma Health Center (PHC) in California has recently confirmed that an unauthorized third party gained access to its network and potentially obtained patient information. PHC said a network security incident was detected on March 14, 2023, but did not disclose any further information on the nature of the incident, such as whether this was a ransomware attack or for how long its network was compromised.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
PHC said information maintained for payroll and human resources purposes was potentially accessed, although no evidence of misuse of that information has been detected. The information exposed in the attack included one or more of the following: full name, address, Social Security number, driver’s license number, passport number, date of birth, and/or health insurance plan information.
PHC said it is reviewing and enhancing technical safeguards to prevent similar incidents in the future and affected individuals have been offered complimentary single-bureau credit monitoring services. The breach has been reported to the HHS’ Office for Civil Rights as affecting 124,862 individuals.
Health Plan Services Malware Infection Affects 9,457 Individuals
Health Plan Services Inc, a Tampa, FL-based provider of technology-based services to health plans, has found malware on its network which may have allowed unauthorized individuals to access and acquire files containing the protected health information of 9,457 individuals.
According to the notification letter sent to the California Attorney General, the malware infection was detected on June 23, 2022. It took 8 months to complete the forensic investigation, which was concluded on February 28, 2023, and the document review was completed on March 21, 2023. Notifications were issued on or around April 28, 2023.
The breach involved names, personal information, and Social Security numbers. Individual notifications state the exact types of information that were exposed/acquired. Identity theft protection services have been offered to affected individuals and security practices have been reviewed and enhanced and additional training has been provided to the workforce.
Mars Area School District Reports 8-Month System Compromise
Mars Area School District in Pennsylvania says unauthorized individuals gained access to its network between January 27, 2022, and September 26, 2022, and potentially obtained the personal information and protected health information of up to 1,270 individuals. The breach notifications do not state when the intrusion was detected but explained that the delay in issuing notifications – almost 6 months – was due to the lengthy forensic investigation and manual document review. It was confirmed on March 30, 2023, that sensitive data had been exposed and notifications were mailed to affected individuals on April 24, 2023.
The school district said names were potentially accessed along with one or more of the following data types: Social Security number, driver’s license number, state identification number, health insurance information, medical information, username/password, and financial account information. Complimentary credit monitoring services have been offered to individuals whose Social Security numbers were exposed.
“Mars continually evaluates and modifies practices and internal controls to enhance the security and privacy of personal information, including updating passwords and enhancing email access protocols”, explained the school district in its notification letters.
Network Security Breach Reported by Graceworks Lutheran Services
Graceworks Lutheran Services, a Centerville, OH-based social services organization, said unauthorized individuals gained access to its computer systems and potentially accessed and obtained the protected health information of 6,737 individuals. Suspicious activity was detected in its computer systems on or around February 18, 2023. A third-party computer forensics firm was engaged to investigate and confirmed the unauthorized access. While no evidence of misuse of the exposed data has been identified, unauthorized access and data theft could not be ruled out. The information exposed varied from individual to individual and may have included names, addresses, social security numbers, dates of birth, medical diagnosis and treatment information, health insurance information, and prescription information.
The data review and verification of contact information was completed on March 31, 2023, and notification letters were mailed in April.
