Columbus Regional Healthcare System Reports 133K Record Data Breach
Columbus Regional Healthcare System in Whiteville, NC, has notified the Maine Attorney General about a cybersecurity incident involving the theft of patient data. Unauthorized individuals had access to its network between May 19, 2023, and May 21, 2023, during which time files were removed from its network.
The file review was completed on December 28, 2023, and individual notifications have now been mailed to the affected individuals. The types of information involved varied from individual to individual and may have included names in combination with one or more of the following: Social Security number, date of birth, driver’s license number, state identification number, passport number, alien registration number, financial account information, medical information (date(s) of service, treatment/diagnosis information, medical record number, patient account number, and/or prescription information) and/or health insurance policy information.
The Notification to the Maine Attorney General indicates 132,887 individuals were affected. The healthcare system said no evidence has been found to indicate any actual or attempted misuse of that data. As a precaution against identity theft and fraud, Complimentary credit monitoring services have been offered to individuals who had their Social Security numbers exposed. Columbus Regional Healthcare said it had implemented safeguards to protect against unauthorized access and continually evaluates and modifies its practices and internal controls to enhance the security and privacy of personal information.”
Senior PsychCare Notifies 75,000 Patients About December 2022 Data Breach
Texas-based Psychological Holdings, PLLC, which does business as Senior PsychCare (SPC), has notified 75,000 patients that some of their protected health information was exposed in a December 2022 security breach. According to the breach notification letters, unauthorized individuals had access to its network between December 13, 2022, and December 22, 2022.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Senior PsychCare engaged third-party cybersecurity professionals to conduct a forensic investigation which was followed by a manual review of all files on the parts of its network that were accessible to the attackers. That process was completed on November 20, 2023, and confirmed that the exposed information included names, addresses, Social Security numbers, medical information, and health insurance information.
Senior PsychCare said it is unaware of any actual or attempted misuse of patient data and has offered the affected individuals complimentary credit monitoring services as a precaution. SPC said it had cybersecurity measures in place to protect against unauthorized data access and continually evaluates and modifies its practices and internal controls to enhance the security and privacy of personal data.
Primary Health & Wellness Center Discloses October 2023 Ransomware Attack
Primary Health & Wellness Center in Baltimore County, MD, has recently notified 4,792 individuals that some of their protected health information was potentially compromised in a ransomware attack that was detected on October 20, 2023. According to the substitute breach notice, the affected server contained the medical records of patients from 2018 to present, which included names, addresses, dates of birth, Social Security numbers, and medical record data. The forensic investigation uncovered no evidence to indicate data was exfiltrated from the server before files were encrypted, and typically threat actors that use Phobos ransomware are not known to exfiltrate data. That said, it was not possible to totally rule out the possibility of data theft.
While data theft is not thought to have occurred, the affected patients have been advised to monitor their account statements and credit reports for potential fraudulent activity and to promptly report any suspected fraudulent activity to law enforcement. Primary Health & Wellness Center said it takes its responsibilities under HIPAA and the Maryland Confidentiality of Medical Records Act very seriously and genuinely apologizes for the incident and inconvenience caused.
PHI Compromised in Coastal Hospice & Palliative Care Cyberattack
Coastal Hospice & Palliative Care in Salisbury, MD, has recently announced that it suffered a cyberattack on July 24, 2023, that caused network disruption. Cybersecurity experts were engaged to investigate the incident and confirmed that its network had been accessed by unauthorized individuals. A review was conducted of all files on the network that had been exposed and may have been obtained by the attackers, and that process was completed on November 20, 2023. Notification letters were mailed to the affected individuals on January 22, 2023.
The information exposed and potentially stolen included names, Social Security numbers, dates of birth, medical diagnosis information, health insurance policy numbers, physician or medical facility information, medical condition or treatment information, and patient account numbers. The incident has been reported to the appropriate authorities, but it is not currently displayed on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals were affected.
Aria Care Partners Discloses May 2023 Cyberattack
Aria Care Partners in Overland Park, KS, has recently disclosed a cybersecurity incident that occurred in May 2023. The forensic investigation confirmed there had been unauthorized access to its vision file server. A comprehensive review was conducted of all files on the server which was completed in December 2023 and confirmed that files had been exposed that contained patient names, dates of birth, Social Security numbers, driver’s license numbers, diagnosis, treatment information, and health insurance information.
Notification letters were mailed to the affected individuals on January 19, 2024, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services, which include a $1 million identity theft insurance policy, dark web monitoring, and identity theft recovery services.
The incident has been reported to the appropriate authorities, but it is not currently displayed on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals were affected.
