25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

More Than 909,000 Individuals Affected by Cyberattack on New York IT Services Provider

Posted By on Oct 24, 2024

ATSG Inc., an IT services company headquartered in New York, has recently reported a September 2024 data breach to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that involved the protected health information of 909,469 individuals. The breach was reported as a hacking/IT incident involving unauthorized access to a network server.

It is currently unclear how many ATSG clients were affected, but one was Boston Children’s Health Physicians. Boston Children’s Health Physicians recently confirmed that it had fallen victim to a cyberattack through its IT vendor and said sensitive data was stolen in the attack. Boston Children’s Health Physicians has only released limited information about the attack and data breach at this stage but has confirmed that it was one of several clients of the IT vendor to be affected. Boston Children’s Health Physicians chose to issue its own notifications to the affected patients, which were sent around a month after the attack occurred.

The BianLian threat group claimed responsibility for the attack and added Boston Children’s Health Physicians to its dark web data leak site. The listing has now been removed which suggests the ransom was paid. It is unclear if ATSG also paid a ransom. Two BianLian healthcare victims who do not appear to have paid the ransom are River Region Cardiology Associates in Alabama and Augusta-Aiken Orthopedic Specialists in Georgia. Both are listed on the BianLian data leak site. Neither company has published a website substitute notice or reported a breach to OCR at the time of writing.

Update: River Region Cardiology has not published a breach notice on its website but has reported a data breach to the HHS’ Office for Civil Rights. The breach summary indicates up to 500,000 patients were affected.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Summit Pathology, Colorado

Summit Pathology and Summit Pathology Laboratories in Loveland, Colorado have been affected by a cyberattack. The attack was detected on or around April 18, 2024, and the forensic investigation confirmed that files were exposed and potentially accessed or downloaded in the incident. The files contained names, addresses, medical billing and insurance information, medical information such as diagnoses, and demographic information such as dates of birth, Social Security numbers, and financial information.

Additional safeguards have been implemented and the affected individuals have been offered complimentary credit monitoring and identity theft protection services, which include a $1 million identity theft insurance policy. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

Update: The data breach affected more than 1.8 million individuals – further information is available in this post.

Community Dental, Maine

Community Dental in Portland, ME, has recently notified 1,461 individuals about a September 2023 hacking incident. The investigation confirmed that an unauthorized third party had access to its network between September 19, 2023, and September 20, 2023. Community Dental confirmed that the systems accessed contained files that included patient data, and those files may have been viewed or downloaded. The investigation and file review has now been completed and notification letters have been sent to the affected individuals.

The information involved included full names, addresses, Social Security numbers, dates of birth, health insurance information, and medical information such as treatment and diagnosis information. The delay in issuing notification letters was due to the comprehensive time-intensive review of the affected files and the time taken to verify contact information to allow notification letters to be mailed. Community Dental has implemented additional safeguards to prevent similar breaches in the future and has offered the affected individuals complimentary credit monitoring and identity restoration services.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist