Health Plan Data Exposed in Cattaraugus-Allegany Board of Cooperative Education Services Cyberattack
Cyberattacks have been reported by Cattaraugus-Allegany Board of Cooperative Education Services and the Burlington, NC-based dentist, Mary H. Makhlouf, DMD, MS, PA. Highmark has discovered a database error that resulted in letters being mailed to incorrect addresses.
Cattaraugus-Allegany Board of Cooperative Education Services Cyberattack Affects 15,203 Medical Plan Members
Cattaraugus-Allegany Board of Cooperative Education Services (CABOCES) in southwestern New York has fallen victim to “a sophisticated cyberattack… that caused some of its internal tools, software, and servers to become temporarily unavailable.” CABOCES engaged third-party cybersecurity experts who confirmed that an unauthorized third party had access to its systems between July 5, 2023, and July 20, 2023. During that time, the attacker had access to the data of current and former employees who were members of the AC Schools Medical Health Plan.
The review of the affected files confirmed that they contained names, Social Security numbers, financial account information, driver’s license numbers, passport information, medical information, and/or health insurance information. Notifications started to be mailed to the 15,203 affected individuals on April 4, 2024.
Highmark Discovers Database Error Caused Letters to be Sent to Previous Addresses
Highmark has discovered that an August 2023 database update resulted in care and case management letters to members’ previous addresses. The error was identified and corrected in February 2024, letters; however, between August 2023 and February 2024, letters were inadvertently mailed to individuals’ previous addresses. The error only affected individuals who previously had a change of address – 5,356 individuals.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The letters included the individual’s name and Highmark identification number, and depending on the type of letter sent, may also have included a reference number, employer group name and number, date of birth, a service date range, a service or procedure code and description, medication name and dosage, and the provider or facility name. Notification letters were sent to the affected individuals on April 2, 2024.
Highmark said the error has been fixed and additional controls have been implemented to prevent similar incidents in the future, including database changes to maintain the accuracy of member addresses, flags for the current active address, and validation checks to make sure that members have only one active address loaded to the database.
North Carolina Dental Practice Suffers Ransomware Attack
The Burlington, NC-based dentist, Mary H. Makhlouf, DMD, MS, PA, has recently announced that her practice was hit with a sophisticated ransomware attack on January 24, 2024. Upon detection, the network was immediately secured to prevent further unauthorized access, and third-party cybersecurity specialists were engaged to investigate the incident.
The investigation uncovered evidence that portions of patient files were subject to unauthorized access. While it has not yet been possible to determine exactly what information was accessed or copied from the network, the exposed files contained names and one or more of the following types of information: address, phone number, email address, date of birth, Social Security Number, driver’s license/state ID number, financial account information, treatment/diagnosis information, prescription information, provider name, medical record/case number, Medicare/Medicaid ID number, health insurance information, and treatment cost.
Notification letters will shortly be mailed to the affected individuals once up-to-date address information has been obtained. The breach has recently been reported to the HHS’ Office for Civil Rights as affecting up to 1,797 individuals.
