ConsensioHealth Ransomware Attack Affects 61,000 Patients
The Wisconsin-based medical billing service, ConsensioHealth, has recently notified 60,871 individuals about a July 2023 ransomware attack. The attack was discovered on July 3, 2023, when staff were prevented from accessing files on the network. Steps were immediately taken to prevent further unauthorized access and third-party cybersecurity experts were engaged to assist with the investigation and to help determine whether patient data was accessed or copied from its systems. The investigation confirmed that data had been stolen, and on November 7, 2023, it was confirmed that some of those files contained the data of patients of the following covered entities:
- Emergency Medicine Specialists, S.C.
- Ascension Wisconsin
- Wisconsin Urgent Care
- Kenosha Urgicare
- Fox Valley Emergency Medicine
- Dr. Linda Jingle
- Woundcare Innovations of Golf Land
The impacted data varied from individual to individual and may have included the following data types: Name, address, date of birth, driver’s license or other state identification number, Social Security number, account access credentials, health insurance information, medical treatment and diagnosis information, medical treatment cost information, patient account number, Medicare or Medicaid number, healthcare provider information, and prescription information.
ConsensioHealth said its information security practices have been reviewed and updated and additional security measures have been implemented.
Southeastern Orthopaedic Specialists Data Incident Affects 35,500 Patients
Southeastern Orthopaedic Specialists in Greensboro, NC, have identified unauthorized access to its network and the potential theft of the protected health information of 35,533 patients.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The Southeastern Orthopaedic Specialists substitute breach notice is devoid of any meaningful information about the data incident, which is described as “a cybersecurity incident that impacted its IT systems.” The breach notice does not state when the breach occurred, when it was detected, for how long hackers had access to the network, whether there was access to patient data, if data was stolen, what types of data were exposed or stolen, or the nature of the attack.
The December 19, 2023, notice only states that no evidence of fraud or identity theft was identified, which may lead the affected individuals to believe that there is little risk; however, there is insufficient information in the notice to allow the affected individuals to gauge the level of risk they face. The breach was sufficiently severe to warrant providing the affected individuals with complimentary credit monitoring and identity theft protection services. It is strongly advisable to take advantage of those services as the NoEscape ransomware group claimed responsibility for the attack and said 3 GB of data was exfiltrated from its network.
Data of Healthcare Clients Exposed in Burr & Forman Cyberattack
The Birmingham, Alabama Am Law 200 firm, Burr & Forman, has recently confirmed that it fell victim to a cyberattack in October 2023 which resulted in unauthorized access to client data, including two clients that are covered by HIPAA. Suspicious activity was detected on one of its laptops in October and the laptop was immediately isolated to prevent further access.
According to the law firm Constangy, Brooks, Smith & Prophete, which is representing Burr & Forman, the cyberattack was detected promptly and was rapidly contained but it was not possible to prevent unauthorized access to documents on its systems. On November 10, 2023, it was confirmed that there had been access to the data of its client Oceans Healthcare, and one other unnamed HIPAA-covered entity. In total the personal and protected health information of 19,893 individuals was exposed.
Burr & Forman was provided with personal information in connection with the legal services provided to its healthcare clients and that information included names, Social Security numbers, medical coding information, dates of service, and insurance information. In its substitute breach notification, Burr & Forman confirmed it is notifying the individuals affected and has provided resources to assist them, and has enhanced network security to prevent similar breaches in the future.
Sharp Health Plan Notifies Members About MOVEit Hack and Mismailing Incident
Sharp Health Plan has confirmed that the protected health information of 9,255 members was compromised in a hacking incident at one of its business associates, Delta Dental of California and affiliates (Delta Dental of California). Delta Dental of California used Progress Software’s MOVEit Transfer solution for file transfers. On May 31, Progress Software issued a patch to correct a zero day vulnerability; however, the Clop hacking group had exploited the vulnerability between May 27 and May 30, 2023, before the patch was applied and exfiltrated data.
Delta Dental of California’s investigation revealed on July 6, 2023, that the data of Sharp Health Plan members had been accessed and removed from the MOVEit Transfer solution without authorization. Delta Dental of California promptly engaged independent third-party experts in computer forensics, analytics, and data mining to determine what information was impacted and with whom it was associated. The investigation was completed on Nov. 27, 2023, and provided Delta Dental of California with the information required to notify the impacted clients. Clients started to be notified in mid-December. The stolen Sharp Health Plan data was limited to members’ first and last names, Social Security numbers, dental provider names, health insurance, and treatment cost information. The affected individuals are being notified directly by Delta Dental of California and affiliates.
Sharp Health Plan has also recently disclosed an unrelated privacy breach that occurred on December 26, 2023, at an unnamed mailing vendor. Sharp Health Plan said a system error in the software of its mailing vendor resulted in letters being sent to 8,200 Sharp Health Plan members that had their names omitted from the envelopes. The letters were sent to the correct recipients; however, without a name on the envelopes, other household members may have opened the letters. The letters included the intended recipient’s name, address, behavioral health provider’s name, and confirmed that the member visited the provider in 2023.
Rebekah Children’s Services Reports September 2023 Cyberattack
Rebekah Children’s Services in Gilroy, CA, identified suspicious activity on its network on September 5, 2023, and engaged a third-party forensics firm to investigate to determine the nature of the attack. The forensic investigation confirmed that hackers had gained access to parts of the network where protected health information was stored, and the file review confirmed that names, addresses, Social Security numbers, dates of birth, health information, health insurance information, treatment information, medications, and driver’s license numbers had potentially been obtained. Steps have been taken to improve security and the 2,805 affected individuals have been notified and offered complimentary access to single bureau credit monitoring services.