Des Moines Orthopaedic Surgeons Notifies Patients About February 2023 Data Breach
Des Moines Orthopaedic Surgeons (DMOS) in Iowa has recently notified 307,864 current and former patients that some of their protected health information (PHI) was exposed in a cyberattack almost a year ago. DMOS explained that the incident occurred on or around February 17, 2023, and allowed an unauthorized third party to access and/or remove files containing the PHI of DMOS patients. DMOS said the breach was due to the failure of one of its vendors.
DMOS said it immediately contained the threat and engaged third-party cybersecurity experts to investigate the incident to determine the extent of compromise. According to the notification letters, “DMOS devoted considerable time and effort to assessing the extent and scope of the incident and to determine what information may have been accessible to the unauthorized users.” It took 10 months to determine that patient data was present in the documents and records involved, with PHI exposure not confirmed until December 6, 2023.
The types of data involved included names along with one or more of the following: Social Security number, date of birth, driver’s license numbers, state identification numbers, passports, direct deposit bank information, medical information, and health insurance information. Notification letters were mailed on January 22, 2024, and individuals whose Social Security numbers were exposed have been offered complimentary credit monitoring and identity theft protection services.
Michigan Orthopaedic Surgeons Email Account Breach Affects 67,000 Patients
Michigan Orthopaedic Surgeons has recently notified 67,477 patients that some of their PHI was present in an email account that was accessed by unauthorized individuals. Suspicious activity was detected in the email account on or around June 29, 2023. A third-party forensic security company was engaged to investigate the incident and confirmed the email account had been accessed by an unauthorized individual between May 5, 2023, and June 21, 2023.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
A comprehensive review of the account was initiated, and it was determined on October 20, 2023, that protected health information was present in the account. The types of information varied from individual to individual and may have included names in combination with one or more of the following: date of birth, Social Security number, financial account number, username and password, health insurance information, and medical information, such as diagnosis, lab results, and prescription information. Individual notifications were mailed on December 19, 2023, and complimentary credit monitoring services have been provided to the individuals who had their Social Security numbers exposed.
Prestige Care Suffers Ransomware Attack
Prestige Care, Inc., a Vancouver, WA-based senior care organization, has recently notified 38,087 individuals that some of their personal and protected health information was potentially accessed or acquired in a September 2023 ransomware attack. The attack was detected on September 7, 2023, with the investigation determining that malware had been installed that prevented access to certain files on its system. The investigation confirmed that the threat actor had access to files containing personal and health information on September 7.
The file review confirmed on December 18, 2023, that those files included names and Social Security numbers. Notification letters started to be sent to the affected individuals on January 31, 2024. Complimentary credit monitoring services have been offered for 12 months.
Bay Area Heart Center Impacted by Phishing Attack on Business Associate
Bay Area Heart Center in St. Petersburg, FL has confirmed that patient data was exposed in a cyberattack at the law firm Bowden Barlow Law, P.A., which Bay Area Heart Center uses for collections. An employee at the law firm responded to a phishing email, which provided the attacker with access to one of the law firm’s servers between November 17, 2023, and December 1, 2023. Bay Area Heart Center was notified about the breach on December 27, 2023.
The investigation found no evidence to suggest data had been downloaded, but data theft could not be ruled out. The exposed data included names, addresses, full and partial Social Security Numbers, dates of service, limited claims data, and insurance policy numbers. “Bay Area Heart Center takes this matter extremely seriously and is equally frustrated that its patient files were compromised by a third-party vendor,” explained the healthcare provider in its breach notice. “Given the potential impact this breach could have on patients, and in furtherance of its commitment to safety and security, the medical practice is currently reevaluating its partnership with Bowden Barlow Law.” Bay Area Heart Center said it has offered the affected individuals a one-year membership to a credit monitoring service.
Northern Light Health Says Patient Data Not Compromised in Cyberattack
On February 4, 2024, Northern Light Health in Brewer, ME, announced that it was forced to take its patient records system offline on February 3, 2024, after discovering certain computers had been compromised in a cyberattack. Northern Light Health explained that none of the affected computers stored any patient data, and that the patient record system was taken offline while the incident was investigated. Northern Light Health said no third party has made contact demanding a ransom and the decision to take patient records offline was taken out of an abundance of caution. Downtime procedures were initiated immediately, and patient care was not disrupted.
Daily updates were provided on its website and on February 5, 2024, Northern Light Health said its medical record system was back online. The incident is still being investigated and there are still no indications that patient data was exposed.
