The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Chattanooga Heart Institute Increases April 2023 Breach Total to 547,000 Individuals

Posted By on Apr 2, 2024

The Chattanooga Heart Institute has discovered that its April 2023 cyberattack involved the personal information of a further 136,000 individuals. Data breaches have also been reported by Northern Virginia Oral, Maxillofacial & Implant Surgery, Ezras Choilim Health Center, Battle Mountain General Hospital, and RxBenefits.

More Than 547,000 Individuals Affected by April 2023 Cyberattack on The Chattanooga Heart Institute

The Chattanooga Heart Institute in Texas has revised the number of people affected by an April 2023 cyberattack. The investigation confirmed that its network was breached between March 8, 2023, and March 16, 2023, and on May 31, 2023, The Chattanooga Heart Institute confirmed that files had been exfiltrated from its network. The Karakurt threat group claimed responsibility for the attack.

The initial review of the affected files confirmed in July 2023 that at least 170,450 individuals had been affected, and notifications were sent to those individuals, but as the investigation progressed it became clear that the breach was more extensive. In October 2023, the victim count was doubled to 411,383 individuals, with additional notification letters sent on October 5, 2023. Further notifications were mailed on February 13, 2024, March 12, 2024, and March 27, 2024, with 547,434 individuals now known to have been affected.

Many of the individuals who were recently notified about the breach were employees and their dependents. The compromised information includes names, mailing addresses, email addresses, phone numbers, dates of birth, driver’s license numbers, Social Security numbers, account information, health insurance information, diagnosis/condition information, lab results, medications, and other clinical, demographic, or financial information. Credit monitoring services have been offered to the affected individuals.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Almost 60,000 Individuals Affected by Cyberattack on Ezras Choilim Health Center

Ezras Choilim Health Center in Monroe, NY, has recently reported a breach of the protected health information of 59,861 individuals to the HHS’ Office for Civil Rights. Unusual activity was detected within its network on September 18, 2023, with the forensic investigation confirming on November 14, 2023, that the attacker exfiltrated files from the network. Ezras Choilim Health Center publicly disclosed the data breach a few days later, but the review of the affected files was still ongoing at the time.

It has now been confirmed that names were exposed and potentially obtained in the attack along with addresses, dates of birth, Social Security numbers health information, and limited medical information. Ezras Choilim Health Center said data privacy and security are among its highest priorities and steps have been taken to improve security and mitigate the risk of harm. Those measures include setting up a security operations center for monitoring, detecting, and responding to security threats across its information systems and network.

Patient Data Exposed in Northern Virginia Oral, Maxillofacial & Implant Surgery Cyberattack

Northern Virginia Oral, Maxillofacial & Implant Surgery (NOVA OMS) has notified 5,568 individuals (including 4,333 patients) about the exposure of some of their protected health information in a cyberattack detected on October 5, 2023. The third-party forensic investigation revealed that personal and protected health information may have been accessed and exfiltrated without authorization between October 3, 2023, and October 6, 2023. The review of the affected files was completed in late February, and the affected individuals have now been mailed notification letters.

The information involved varied from individual to individual and may have included names, driver’s license numbers, medical information, health insurance information, and other sensitive data, the details of which are included in the individual notifications. Complimentary identity protection services have been offered to the affected individuals. NOVA OMS said additional safeguards have now been implemented to prevent similar incidents in the future.

RxBenefits Reports Impermissible Disclosure of PHI Due to Mailing Error

RxBenefits, a Birmingham, AL-based Pharmacy Benefits Administrator, has discovered a mailing error that resulted in letters being sent to incorrect individuals. The mailing error was discovered on January 16, 2024, and it was determined that letters intended for 3,396 individuals had been sent to other individuals. The letters stated that as of January 1, 2024, medications required by the intended recipient or their dependent may require prior authorization from a physician. The letters contained names and addresses and confirmed that the intended recipient or their dependent took that specific medication. The affected individuals were AdventHealth Employee Health Plan members.

RxBenefits said it is reviewing its HIPAA privacy and security policies and procedures to ensure ongoing compliance and additional security and privacy measures have been implemented to prevent similar incidents in the future.

3,000 Individuals Have PHI Exposed in Cyberattack on Battle Mountain General Hospital

Battle Mountain General Hospital in Nevada has recently announced that the personal and protected health information of employees and patients has been exposed and potentially stolen. On January 25, 2024, an unauthorized individual exploited a vulnerability and remotely accessed an employee workstation. The forensic investigation confirmed that the exposed data included names, addresses, dates of birth, Social Security numbers, medical histories, and treatment information of our patients and employees. Approximately 3,000 individuals had their data exposed.

Battle Mountain General Hospital CEO, Jason Bleak, said “I am deeply sorry for what has happened, and sincerely apologize for the understandable distress this incident may cause those affected. I am fully committed to making it right.” While data has been exposed, no evidence has been found to indicate that any of the exposed data has been shared, published, or misused; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist