Apria Healthcare Breach Affects Up to 1.8 Million Individuals
Apria Healthcare LLC, an Indianapolis-based provider of home medical equipment for sleep apnea, has recently sent notifications to individuals about a historic data breach. Apria was alerted about unauthorized access to some of its systems on September 1, 2021. According to the breach notification letters, steps were immediately taken to mitigate the incident, and Apria worked with a third-party forensics team and the Federal Bureau of Investigation. The investigation confirmed its systems were accessed by an unauthorized individual between April 5, 2019, and May 7, 2019, and again from August 27, 2021, to October 10, 2021. The investigation determined that access was gained to its systems primarily to obtain funds from Apria, rather than to obtain the personal information of patients or employees.
While the investigation confirmed that some files containing protected health information were accessed, no evidence of data theft was found; however, data theft could not be ruled out. According to the breach notification sent to the Maine Attorney General, the files on its system that were potentially accessed contained the personal and protected health information of 1,869,598 individuals. The information involved varied from individual to individual and may have included personal, medical, health insurance, and financial information, and for a limited number of individuals, Social Security numbers.
Apria said it has implemented additional security measures to prevent similar HIPAA breaches in the future and affected individuals have been offered one year of complimentary credit monitoring services through Kroll. It is unclear why it took 20 months from the discovery of the intrusion for breach notification letters to be issued.
Illinois Department of Human Services Reports Breach of Benefits Eligibility System
The Illinois Department of Healthcare and Family Services (IHFS) and the Illinois Department of Human Services IDHS have recently announced that unauthorized individuals gained access to the Manage My Case (MMC) portal of the state Application for Benefits Eligibility (ABE) system, which is used for determining eligibility for State-funded medical benefits programs (Medicaid), the Supplemental Nutrition Assistance Program (SNAP), and Temporary Assistance for Needy Families (TANF).
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Unauthorized accounts were created in the ABE system, which accessed and linked to existing customer MMC accounts by using customers’ personal information that had been stolen from another source. The information exposed as a result of the breach included names, social security numbers, recipient identification numbers, addresses, phone numbers, and income information.
The portal has been secured and unauthorized access has been blocked. 50,839 individuals who applied for or are receiving benefits through the ABE systems have been affected.
Link Audiology Reports Email Account Breach
Link Audiology LLC, a Silverdale, WA-based provider of audiology services, has recently confirmed that the protected health information of up to 7,200 current and former patients has been exposed due to the hacking of an employee email account. The compromised account contained email communications between Link Audiology s and a company that was used to handle billing to insurance companies and patients.
The purpose of the attack appears to have been to divert payroll rather than obtain patient information. The email account breach was detected on April 4, 2023, when a fraudulent payroll submission appeared on the company checking account. The investigation revealed the email account was compromised on March 20, 2023, and that the account was again accessed between March 29, 2023, and April 4, 2023. The email account contained copies of personal and insurance checks and copies of insurance Explanation of Benefits (EOB) forms.
A password reset was performed for all email accounts and two-factor authentication was enabled. Internal protocols have also been updated to limit the exposure of data in the event of a similar attack in the future. The decision was taken to send notification letters to all individuals in its database as a precaution since it was not possible to determine if any patient information had been accessed.
Email Account Breach Impacts Patients of Beltone Hearing Aid Centers
Grohler Hearing Aid Center, Inc, doing business as Beltone Hearing Aid Centers, has notified 5,272 individuals about the exposure of some of their protected health information. On March 1, 2023, an employee received a fraudulent request for payment from one of its vendors. The investigation revealed an unauthorized third party had accessed an employee’s Microsoft 365 online account on February 21, 2023, when the employee responded to a phishing email.
The unauthorized individual was discovered to have accessed documents in the account that included the full names, internal patient identification numbers, and insurance providers of 50 patients. It was not possible to rule out access to other patients’ protected health information that was present in other emails in the account, although evidence of data access and data theft was not found. Those emails contained information such as patient names, treatment information (including the hearing aid worn by the patient), address, date of birth, driver’s license number, Social Security Number, insurance claims information, patient identification numbers, health information, and credit card/bank account information. Additional security measures have been implemented and further training has been provided to the workforce.
