The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

BianLian Threat Group Claims Responsibility for Cyberattack on Tennessee Eye Clinic Network

Posted By on Apr 25, 2024

Politzer and Durocher, PLC, which does business as Optometric Physicians of Middle Tennessee (OPMT), has recently reported a hacking incident to the HHS Office for Civil Rights involving the personal and protected health information of 29,000 individuals. The Lebanon, TN-based eye clinic chain said it detected unauthorized access to its network on March 25, 2024. The attackers had circumvented its security controls, and accessed one of its servers and exfiltrated files containing “a very limited amount of healthcare information.” The investigation confirmed that other identifying information may have been accessed in the attack. A forensic investigation is currently underway to determine the exact types of information involved and notification letters will be mailed to the affected individuals when that process is completed. OPMT said, “Even though it is not specifically required by HIPAA, we will offer identity theft protection services to all affected individuals; we feel that this is an important precaution to protect our patients.”

The BianLian group has claimed responsibility for the attack. Like several other cybercriminal groups, BianLian tends not to use ransomware anymore and just steals data and demands payment to prevent the exposure or sale of the data. The BianLian has added OPMT to its leak site and claims to have exfiltrated 1.5TB of data in the attack, including financial information, HR data, biometric data, contracts and confidential agreements, SQL databases, and patients’ PII and PHI.

Moffitt Cancer Center Affected by Data Breach at Advarra

Moffitt Cancer Center has recently announced that it has been affected by a security breach at one of its vendors, Advarra.  Advarra provided services to Moffitt Cancer Center related to the care and treatment of patients and a research study. On October 26, 2023, Advarra discovered suspicious activity in an employee’s user account. The forensic investigation confirmed it had been accessed by an unauthorized individual on October 25, 2023, who acquired a limited amount of data. On or around February 8, 2024, Advarra completed its file review and confirmed that the compromised data belonged to Moffitt Cancer Center.

Moffitt Cancer Center was notified about the breach by Advarra on February 21, 2024, and completed its review of the affected data on March 13, 2024. Moffitt Cancer Center has confirmed that its own systems were not accessed and that the information exposed was limited to names, dates of birth, and Social Security numbers. Advarra is notifying the affected individuals on behalf of Moffitt Cancer Center.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Advarra has recently reported the breach to the HHS’ Office for Civil Rights as affecting 596 individuals and Moffit Cancer Center has reported the breach to the Maine Attorney General as affecting 26,577 individuals. Advarra said it has implemented additional measures to further strengthen its internal files system and is offering the affected individuals complimentary identity theft monitoring through Kroll. Moffitt Cancer Center also recently announced that it was affected by a data breach at another vendor, the law firm Gunster, Yoakley, and Stewart.

Patient Data Stolen in Cyberattack on Somerset Dental Las Vegas

Somerset Dental Las Vegas in Nevada has notified 11,321 patients that some of their protected health information has been exposed. The security breach was detected on February 16, 2024, and a third-party forensic investigation confirmed that certain files were exfiltrated from its network in the attack. The stolen data varied from individual to individual and may have included names, dates of birth, addresses, telephone numbers, email addresses, Social Security numbers, driver’s license numbers, health information, and dental insurance information.  Somerset Dental Las Vegas said it is reviewing its security safeguards and will strengthen security. Complimentary identity protection and credit monitoring services have been offered to individuals whose Social Security numbers and/or driver’s license numbers were involved.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist