Billing Support Vendor Notifies 701K Patients About December 2023 Data Breach
Medusind, a Florida-based revenue cycle management vendor and practice management software provider, has recently started notifying individuals about a security breach detected more than a year ago. According to the notification letters, the unauthorized access occurred on December 23, 2023, and was detected and blocked the same day. A third-party cybersecurity firm was engaged to investigate the breach, and evidence was found of data exfiltration. The review of the affected files has now been completed, and notification letters have been mailed. Medusind is offering the affected individuals two years of complimentary credit monitoring and identity theft protection services.
Information potentially compromised in the incident includes health insurance and billing information, debit/credit card numbers or bank account information, health information such as medical history, medical record number, or prescription information, government identification such as Social Security number, taxpayer ID, driver’s license number, or passport number), and other personal information such as date of birth, email address, address, or phone number. Medusind said it has implemented additional security measures to prevent similar breaches in the future.
The breach was reported to the Maine Attorney General as involving the data of 360,934 individuals; however, the breach has since been added to the HHS’ Office for Civil Rights website, first as involving the protected health information of 694,054 individuals, and later updated to 701,475 individuals.
Email Account Compromised at Indiana University Health
On January 7, 2025, Indiana University Health (IU Health) announced that it had detected suspicious activity in a user’s email account on November 8, 2024. After securing the account to prevent further unauthorized access, IU Health investigated the potential breach. Assisted by a third-party digital forensics firm, IU Health confirmed that a threat actor had access to the email account from August 27, 2024, to October 2, 2024.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The review of emails and attachments has now been completed, and notification letters were sent to the affected individuals on January 2, 2025. The information potentially compromised varied from individual to individual and may have included names, addresses, ages, medical record numbers, diagnoses, limited treatment information, and for a small subset of individuals, Social Security numbers. Individuals who had their Social Security numbers compromised have been offered complimentary credit monitoring services for 12 months. The breach was reported to the Office for Civil Rights as involving the data of 515 patients.
Mid-Ohio Psychological Services Inc. Falls Victim to Ransomware Attack
Mid-Ohio Psychological Services Inc., a Lancaster, OH-based healthcare service provider, has fallen victim to a ransomware attack that involved unauthorized access to systems containing the protected health information of 40,345 current and former patients.
The attack was detected on October 21, 2024, and the file review confirmed that sensitive data had been compromised including names, addresses, dates of birth, Social Security numbers, and financial information. Little information has been released about the incident so far, which was reported to the HHS’ Office for Civil Rights on November 1, 2024, as an unauthorized access/disclosure incident. There is currently no substitute breach notice on its website.
The Black Suit ransomware group, formerly Royal, has claimed responsibility for the attack and has added Mid-Ohio Psychological Services to its data leak site. Black Suit claims to have exfiltrated 168 GB of data in the attack, although no data is currently available for download.
Data of Khalil Foundation (Khalil Center) Patients Exposed on the Internet
Khalil Foundation, doing business as Khalil Center, a psychological and spiritual community wellness center, has discovered that one of its vendors (Transform Studios) has exposed data on the internet via an unsecured Amazon S3 bucket. After being notified about the exposed data, the S3 bucket was immediately secured to prevent further unauthorized access and the breach has been reported to the HHS’ Office for Civil Rights as involving the protected health information of 1,153 individuals. The Killsec threat group claims to have obtained the exposed data and has attempted to extort Khalil Center.
