Benson Health Notifies 28,913 Patients About May 2021 Data Breach

Benson Health in North Carolina has recently started notifying 28,913 patients that some of their protected health information was potentially accessed or acquired in a cyberattack that was detected on May 5, 2021. Benson Health said an investigation was immediately launched when the breach was detected, and a specialist cybersecurity and data privacy law firm and third-party forensic specialists were engaged to assist with the investigation. The investigation confirmed that a data set had been exposed and was potentially stolen by the attacker.

Data mining experts were retained to perform a comprehensive review of the affected information, which confirmed on July 7, 2022, that the dataset included names, birth dates, Social Security numbers, and health and treatment information.

Notification letters were sent to affected individuals on July 12, 2021, more than 14 months after the data breach was first detected. Affected individuals have been offered Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services at no charge for 12 months.

Business Email Compromise Attack Reported by AllOne Health

AllOne Health, a Wilkes-Barre, PA-based provider of workplace physical and mental health services, has recently announced that the email account of an employee has been accessed by an unauthorized third party. The breach was detected in February 2022 when wire transfers intended for one of its payees were discovered to have been routed to a fraudulently created bank account. The investigation of the incident revealed the email account of an employee had been compromised and used in the business email compromise attack to request fraudulent transfers. A forensic review was then conducted to determine whether any patient information was contained in the account.

Please see the HIPAA Journal Privacy Policy

AllOne Health said the email account contained the protected health information of 13,669 individuals, including names, addresses, dates of birth, driver’s license numbers, Social Security numbers, and limited health information. While that information may have been accessed or obtained, the purpose of the attack was to make fraudulent wire transfers. Limited financial documents were accessed as part of the scam, but no evidence was found to indicate any patient data was viewed or obtained by the scammer.

AllOne Health said all company passwords were reset when the attack was detected, and additional security measures have now been implemented on its systems to prevent further email account breaches. Affected individuals have been offered a complimentary 12-month membership to Epiq’s identity protection and credit monitoring services.

PHI of More than 46,000 Patients Compromised in Data Breach at Southwest Health Center

Southwest Health Center in Platteville, WI, has recently announced that the protected health information of 46,142 patients has been accessed and obtained by unauthorized individuals.

Southwest Health Center identified suspicious activity within its network environment on January 11, 2022, with the forensic investigation confirming that unauthorized individuals gained access to folders containing patient information and removed certain files from its systems. A comprehensive review of the files was completed on May 27, 2022, and confirmed that patient information such as names, dates of birth, clinical and treatment information, and Social Security numbers were present in the files. The delay in issuing notification letters to affected individuals was due to the lengthy process of determining current address information for those individuals.

Southwest Health Center sent notification letters to affected individuals on July 5, 2022, and has offered 12 months of complimentary credit monitoring and identity theft restoration services through IDX.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.