Tycon Medical Systems Reports Data Breach Affecting 112,847 Individuals
Data breaches have been confirmed by Tycon Medical Systems, North Los Angeles County Regional Center, Mohawk Valley Cardiology, and Summa Health.
Tycon Medical Systems
Tycon Medical Systems, a Norfolk, Virginia-based home medical equipment provider and distributor, has experienced a breach of the protected health information of 112,847 individuals. A breach notification was sent to the Massachusetts Attorney General about a cybersecurity incident involving personal information; however, the breach notification lacks any detail about the nature of the breach such as when it was discovered or the types of information involved. There is currently no substitute breach notice on the Tycon Medical Systems website. The HHS’ Office for Civil Rights website lists the data breach as a hacking/IT incident involving a network server. The affected individuals started to be notified on December 30, 2024, and have been offered complimentary credit monitoring and identity theft protection services for 24 months, which include a $1,000,000 identity theft insurance policy and credit restoration services.
North Los Angeles County Regional Center
North Los Angeles County Regional Center has announced that it fell victim to a ransomware attack in November 2024. Indicators of a ransomware attack were detected on November 28, 2024, steps were taken to contain the incident, and cybersecurity experts were engaged to assist with the investigation. The investigation confirmed there had been unauthorized access to its network starting on November 20, 2024, and continuing until December 1, 2024.
Before using ransomware to encrypt files, the threat actor copied files from its systems. The review of those files confirmed that they contained the following categories of patient information: first and last names, addresses, email addresses, telephone numbers, dates of birth, Social Security numbers, financial account information, payment card information, health plan numbers, health plan beneficiary numbers, health insurance information, full-face photos and/or comparable images, UCI and patient ID numbers, medical information, lab results, medications, diagnosis/ treatment information, treatment cost information, disability codes, and certificate/license numbers.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The file review is ongoing to determine the patients affected; however, notification letters have been sent to all patients whose information was potentially involved as a precaution. The breach has been reported to the HHS’ Office for Civil Rights using a placeholder of 500 affected individuals, and the total will be updated when the file review concludes. Several steps have been taken in response to the attack to improve security, including password changes, strengthened password requirements, improved monitoring processes, and new technical safeguards.
Mohawk Valley Cardiology
Mohawk Valley Cardiology in Utica, New York, has notified 4,945 patients that some of their protected health information was exposed and potentially stolen in a recent cyberattack. When the incident was identified, an incident response team was deployed to terminate the unauthorized access and determine the nature and scope of the intrusion. The investigation confirmed that the breach involved first and last names, addresses, health insurance information, billing data, and health data. At the time of issuing notification letters, Mohawk Valley Cardiology was unaware of any misuse of the exposed data. The affected patients have been advised to monitor their accounts for signs of unauthorized activity.
Summa Health
Akron, Ohio-based Summa Health has learned that a former employee has accessed patient records without authorization for more than a year when there was no legitimate work reason for doing so. The unauthorized access was detected on November 11, 2024, prompting an investigation of access logs. Summa Health confirmed that the unauthorized access started on October 19, 2023, and continued until November 13, 2024.
The types of information viewed by the former employee included names, addresses, email addresses, telephone numbers, dates of birth, medical record numbers, partial Social Security numbers, and medical and treatment information. Summa Health said the individual concerned is no longer employed by Summa Health and no evidence has been found of misuse of patient data; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. Summa Health has reinforced staff training regarding the privacy and confidentiality of patient information. The HHS’ Office for Civil Rights website indicates 874 patients were affected.
