PHI Compromised in Cyberattacks on South Texas Oncology and Hematology & Highland Health Systems
Patients and employees have been notified about cyberattacks and data breaches at South Texas Oncology and Hematology in Texas and Highland Health Systems in Alabama.
South Texas Oncology and Hematology Cyberattack Affects 175,195 Patients
South Texas Oncology and Hematology (STOH), a cancer treatment center in San Antonio, TX, has notified 176,303 individuals about a cybersecurity incident detected on February 15, 2024. Upon discovery of the security breach, the network was disconnected, and a third-party cybersecurity firm was engaged to assist with securing its systems and conducted a forensic analysis to determine the nature and scope of the incident.
On February 19, 2024, STOH confirmed that an unauthorized individual had access to parts of its network containing the personal information of employees and the protected health information of current and former patients, and those files may have been acquired in the attack. The files are currently being reviewed and are likely to include names and medical information, although other types of information may also have been compromised.
STOH notified law enforcement and regulators about the attack in March and April and uploaded a breach notice to its website. The file review was completed in June 2024. At the time of issuing notifications, no evidence had been found of any actual or attempted misuse of the exposed data; however, as a precaution, the affected individuals have been offered Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services at no charge.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
STOH has reviewed its policies, procedures, and security measures and has taken several steps to enhance security, including updating security tools and implementing new, automated protections. The breach was reported to the Maine Attorney General as affecting 176,303 individuals, and to the HHS Office for Civil Rights as involving the protected health information of 175,195 patients.
Highland Health Systems Notifies Patients About July 2023 Cyberattack
Highland Health Systems, an Anniston, AL-based mental health center, has recently notified 83,543 individuals about a cyberattack detected on July 3, 2023. After discovering suspicious activity, a specialized cybersecurity firm was engaged to help secure its systems and conduct a forensic investigation, which uncovered evidence that an unauthorized third party had accessed files on its network.
A review was conducted to determine how many patients had been affected and the types of information involved. Highland Health Systems said the lengthy and comprehensive review was completed on May 24, 2024, and on May 28, 2024, a third-party vendor was engaged to assist with mailing notification letters. Highland Health Systems then worked to verify the information and obtain up-to-date address information to allow notifications to be mailed.
The information exposed included names in combination with one or more of the following: date of birth, Social Security number, account number, payment card number, payment card PIN, email address and password, medical information, health insurance information, tax ID, routing number, and driver’s license number or state ID.
Highland Health Systems has implemented new security monitoring software, adopted new encryption technologies, deployed additional NIST-compliant technical safeguards, revised security policies and procedures, and workforce members have been retrained. Highland Health Systems is unaware of any misuse of the exposed data but has offered the affected individuals complimentary credit monitoring and identity theft protection services for 12 months.
