OnePoint Patient Care Data Breach Affects 1.7 Million Individuals; Ransom Group Leaks Data
On October 14, 2024, OnePoint Patient Care notified the HHS’ Office for Civil Rights (OCR) about a hacking-related data breach that involved the protected health information of 795,916 individuals; however, on November 22, 2024, the Maine Attorney General was notified that the data breach affected more than twice the number of people – 1,741,152 individuals, including 99 Maine residents. Notification letters started to be mailed to the affected individuals on November 26, 2024.
The notification to the Maine Attorney General does not include any additional information about the cyberattack or data breach, other than what is stated in our October 25, 2024 post below. Since the publication of that post, further information has come to light about the cause of the breach. The Inc Ransom group, a ransomware-as-a-service group that engages in double extortion tactics, has claimed responsibility for the attack. INC Ransom breaches networks, identifies sensitive data, exfiltrates that information, and then encrypts files. A ransom must be paid to obtain the keys to decrypt the data and also to prevent the publication of the stolen data.
While it is possible that a ransom was paid to recover files, payment was not made to the group to prevent the publication of the stolen data, as OnePoint Patient Care has been added to the group’s data leak site and the stolen data is available for download. On November 28, 2024, the INC Ransom data leak site shows the OnePoint Patient Care post has been viewed 14,246 times. It is unclear how many times the data has been downloaded.
OnePoint Patient Care states in the notification letters that it is unaware of any actual or attempted misuse of the stolen data; however, the full data leak makes misuse of the stolen data likely. It is therefore important for all affected individuals to sign up for the credit monitoring and identity theft services that have been offered and to be vigilant against any misuse of their data.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
October 25, 2024: Almost 800,000 Individuals Affected by Cyberattack on Arizona Pharmacy
OnePoint Patient Care, a Tempe, AZ-based hospice-dedicated pharmacy, has experienced a major data breach that involved the protected health information of 795,916 individuals. Suspicious activity was identified within its computer network on August 8, 2024, and immediate action was taken to contain the breach and prevent further unauthorized access to its systems.
OnePoint Patient Care reported the incident to law enforcement and said it had no impact on its business operations. Third-party cybersecurity experts were engaged to investigate the breach and on August 15, 2024, confirmed that between August 6 and August 8, 2024, files were exfiltrated from its systems without authorization.
Some of those files contained customer information including names, residence information, medical record numbers, diagnoses, and prescription information. Social Security numbers were also compromised for a subset of the affected customers. While data theft has been confirmed, OnePoint Patient Care is unaware of any actual or attempted misuse of the stolen data.
The affected individuals have been notified and advised to monitor their credit reports, account statements, and benefit statements for suspicious activity. Individuals who had their Social Security number compromised have been offered complimentary credit monitoring and identity theft protection services. OnePoint Patient Care said it is committed to ensuring the privacy and security of personal data and is implementing additional safeguards to prevent similar breaches in the future.
Dohman, Akerlund & Eddy, Nebraska
Dohman, Akerlund & Eddy, an Aurora, NE-based tax, accounting, and business consulting firm, discovered on February 28, 2024, that hackers had gained access to its network. The forensic investigation indicated the unauthorized access started on or just before February 28, and that the parts of the network accessible to the hackers contained files that included sensitive information provided to the firm by hospitals in the Aurora area that availed of its auditing services.
Dohman, Akerlund & Eddy engaged third-party data review specialists to determine the individuals affected and the types of data involved. On September 26, 2024, it was confirmed that protected health information was included in the data set, including names, addresses, dates of birth, diagnosis and treatment information, dates of service, Social Security numbers, health insurance provider names, claims information, and treatment cost information.
Dohman, Akerlund & Eddy said it has no reason to believe that any of the compromised information has been misused. As a precaution against identity theft and fraud, the affected individuals have been offered Single Bureau Credit Monitoring/Credit Report/Credit Score services at no charge. The breach was recently reported to the HHS’ Office for Civil Rights as affecting 9,941 individuals.
Northeast Spine and Sports Medicine, New Jersey
Northeast Spine and Sports Medicine in Point Pleasant, New Jersey, has experienced a breach of the protected health information of 6,300 individuals. The breach was detected on or around January 8, 2024, and the third-party forensic investigation confirmed that an unauthorized third party illegally accessed its network between late December 2023 and January 8, 2024.
Northeast Spine and Sports Medicine said the cybersecurity specialists investigating the breach are reasonably certain that the BianLian threat group was behind the attack and that sensitive patient data may have been stolen by the group. The data review confirmed the following data had been exposed and potentially stolen: full names, sex/gender, addresses, phone numbers, dates of birth, Social Security numbers, and medical information. For some individuals, the compromised information included medical billing and financial data, including insurance and payment information, medical record numbers, health plan beneficiary numbers, and account numbers. In some cases, the breach involved the data of the person who paid for the medical services.
Northeast Spine and Sports Medicine said it implemented and will continue to implement additional security measures, including enhanced multi-factor authentication, firewall upgrades, and event monitoring. The affected individuals have been offered complimentary credit monitoring and identity theft protection services.
