Colorado Fertility Center Ransomware Attack Affects 80,000 Patients
Conceptions Reproductive Associates of Colorado has suffered a ransomware attack, hacking incidents have been reported by Lexington Diagnostic Center, In-Home Attendant Services, and Youth Eastside Services, and email accounts have been compromised at Summit Medical Group.
Conceptions Reproductive Associates of Colorado
The fertility clinic, Conceptions Reproductive Associates of Colorado, has recently confirmed that it was the victim of a ransomware attack that involved unauthorized access to its network and the theft of the information of up to 80,000 current and former patients and their partners.
The incident was detected in mid-April when disruption was caused to some of its legacy computer systems. Incident response procedures were immediately implemented, the intrusion was reported to law enforcement, and an investigation was launched to determine the nature and extent of the unauthorized activity. The investigation confirmed that the ransomware group gained access to certain legacy systems earlier in the month and exfiltrated data.
The file review has recently been completed and individual notifications have been mailed to all individuals for whom current address information was held. The information stolen in the attack varied from individual to individual and may have included names in combination with one or more of the following: address, phone number, tests ordered, test results, vital signs, physical examination findings, and diagnostic images. A small percentage of individuals may also have had the following information compromised: Social Security number, driver’s license number/other government-issued ID, checking account number, and/or credit/debit card number. In many cases, credit/debit card numbers had already expired.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
While the practice is unaware of any misuse of the stolen data, complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. Conceptions Reproductive Associates has taken steps to improve security to prevent similar incidents in the future, including reconfiguring its network infrastructure, enhancing password complexity requirements, and strengthening remote access security by adding multi-factor authentication.
Lexington Diagnostic Center
Lexington Diagnostic Center, a Lexington, KY-based radiology center, has notified 29,819 patients about a hacking incident detected on March 16, 2024. After securing its systems, a forensic investigation was initiated to determine the extent and nature of the unauthorized access. No evidence was found of unauthorized access to electronic health records; however, the hackers did gain access to systems where files containing patient data were stored. Those files may have been accessed or removed between February 26, 2024, and March 16, 2024.
The manual review of those files was completed on November 26, 2024, and confirmed that the following data had been exposed: names, addresses, phone numbers, dates of birth, Social Security numbers, medical record numbers, patient account numbers, health plan beneficiary numbers, and medical diagnosis/medical treatment information. Lexington Diagnostic Center said the exposed data varied from individual to individual and no evidence has been found of any misuse of that data. Individuals whose Social Security numbers were involved have been offered complimentary credit monitoring services, and practices have been modified to enhance data security.
In-Home Attendant Services Ltd.
In-Home Attendant Services Ltd., a Texas home health care agency, has experienced a network security breach. The substitute breach notice does not state when the breach occurred. The investigation confirmed that files had been stolen which potentially contained the data of up to 22,000 patients. The substitute notice does not state what types of information were involved, but that information will be detailed in the individual notifications.
The website of the Texas Attorney General states that names, addresses, dates of birth, Social Security numbers, driver’s license numbers, government-issued ID numbers such as passports or state ID cards, financial information such as account numbers, credit or debit card numbers, medical information, and health insurance information were involved. A new computer network has been built and state-of-the-art software implemented that can help with real-time prevention, detection, and response to cyber threats.
Youth Eastside Services
Youth Eastside Services, a Bellevue, WA-based provider of mental health counseling and substance abuse treatment, is investigating a network security incident. Suspicious activity was identified within its network on November 13, 2024, and the investigation confirmed that there had been unauthorized access by an unknown actor between November 3 and November 14, 2024. During that time, files may have been viewed or acquired.
The review of those files is ongoing; however, it was confirmed on December 3, 2024, that the files contained the information of current and former patients, donors, and employees. The information potentially compromised includes names, medical record identification numbers, dates of birth, addresses, demographic information, diagnoses, clinical documentation, claims information, insurance information, and service/appointment dates. Donors affected by the incident mostly only had their names and contact information exposed.
When the review is completed, individual notifications will be mailed. In the interim, the breach was reported to the HHS’ Office for Civil Rights using a placeholder figure of 501 affected individuals. The total will be updated when the review is completed.
Summit Medical Group
Summit Medical Group in Tennessee has discovered unauthorized access to its email system. The breach was detected on November 22, 2024, and the forensic investigation confirmed that certain employee email accounts were accessed by an unauthorized third party between September 19, 2024, and November 21, 2024.
The analysis is ongoing, but it has been confirmed that emails and attachments in the account included the protected health information of 611 patients. The types of data exposed varied from patient to patient and included names in combination with one or more of the following: contact information, demographic information, medical record numbers, provider names, dates of services, facilities of service, treatment information, and/or health insurance information. The security breach was reported to law enforcement, additional training has been provided to employees whose email accounts were compromised, and email security has been strengthened. Notification letters were mailed to the affected individuals on December 13, 2024.
