Healthcare Data Breaches Affect Patients in AL, IN, MN, NC, NY, OR, and NY
Breaches of protected health information have recently been confirmed by Fraser Child and Family Center (MN), UAB School of Nursing (AL), Meridian Internal Medicine (NC), Advantage Orthopedic & Sports Medicine (OR), and South Western Communications (IN), and Aire Dental Arts (NY).
Fraser Child and Family Center, Minnesota
Fraser Child and Family Center, a Minnesota-based provider of autism, mental/behavioral health, and disability services, detected suspicious activity within its computer network on June 2, 2024. Steps were taken to secure its IT systems and prevent further unauthorized access and a third-party forensic investigation was initiated to determine the nature and scope of the incident. The investigation confirmed that an unauthorized third party had access to its network From May 30, 2024, to June 2, 2024, and during that time, accessed or copied files without authorization.
The file review determined that up to 67,000 patients may have been affected and potentially had their names, addresses, dates of birth, Social Security numbers, and medical information exposed; however, no evidence of misuse of that information has been identified.
Meridian Internal Medicine, North Carolina
Meridian Internal Medicine, an Asheboro, NC-based healthcare revenue cycle management company, has notified 2,656 patients about a March 2024 cyberattack that exposed their personal information. The cyberattack was first discovered on March 18, 2024, and immediate action was taken to prevent further unauthorized access. The forensic investigation confirmed there had been unauthorized access to files containing patient data.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
It took a considerable amount of time to reconstruct and review the affected data, with that process not completed until May 22, 2024. The notification to the New Hampshire Attorney General does not state what types of data were compromised, only that the information varied from individual to individual. Complimentary credit monitoring services have been made available to eligible individuals. The breach prompted Meridian Internal to reset passwords for all accounts, update policies and procedures, implement new technical safeguards, and enhance other data security measures. Further training has also been provided to the workforce.
Advantage Orthopedic & Sports Medicine, Oregon
Advantage Orthopedic & Sports Medicine in Oregon has recently notified 1,937 patients about a January 2024 cyberattack. The attack was detected on February 11, 2024, and the forensic investigation confirmed that an unauthorized third party first accessed its network on January 29, 2024. The incident was disclosed on its website in February; however, it has taken time to investigate the breach and determine the individuals affected and the types of data involved.
The types of information compromised in the incident include names, dates of birth, Social Security numbers, financial account information, clinical or treatment information, medical provider names, medical record numbers, patient account numbers, medical procedure information, health insurance information, billing information, and/or prescription information. In response to the attack, Advantage Orthopedic changed passwords and expanded its use of multifactor authentication. While data was exposed, Advantage Orthopedic is unaware of any misuse of that information.
South Western Communications, Indiana
South Western Communications, an Indiana-based provider of integrated, communications, life safety, and security solutions for healthcare organizations, has recently notified 1,115 individuals that some of their protected health information was potentially acquired by unauthorized individuals in a December 2023 ransomware attack.
The attack was discovered on December 22, 2023, with the forensic investigation confirming that a ransomware group had access to its network between December 21, 2023, and December 22, 2023. A comprehensive review was conducted to determine the types of data potentially compromised in the attack and it was confirmed on July 10, 2024, that protected health information was involved. The information potentially stolen in the attack included names, dates of birth, Social Security numbers, payment card information, health insurance information, passport numbers, financial account information, usernames and passwords, and/or driver’s license/state ID numbers. South Western Communications said the attack was reported to the Federal Bureau of Investigation and additional measures have been implemented to prevent similar attacks in the future.
Aire Dental Arts, New York
The Midtown, Manhattan dental practice, Aire Dental Arts, is starting to notify certain patients that some of their protected health information was compromised in a June 2024 data security incident. Third-party computer forensics experts were engaged to investigate the incident, help secure its systems, and restore access to data. The investigation confirmed there had been access to files containing patient data. Aire Dental Arts has recently completed the file review and started issuing individual notifications. Additional security measures have been implemented to prevent similar incidents in the future. The breach is not yet shown on the HHS’ Office for Civil Rights website so it is currently unclear how many patients have been affected.
University of Alabama at Birmingham School of Nursing
University of Alabama at Birmingham School of Nursing has recently alerted 1,655 individuals about an impermissible disclosure of some of their protected health information. A study recruitment postcard was sent to patients to encourage participation in a survey related to a breast cancer diagnosis. The nature of the communication meant the patients’ diagnosis could be inferred. UAB School of Nursing has sent an apology letter to the affected patients and has taken steps to prevent similar errors in the future.
