Cyberattack Announced by Carolina Arthritis Associates
Data breaches have recently been announced by Carolina Arthritis Associates in North Carolina, Jaime Schwartz MD in California, Somnia in New York, and the California healthcare staffing agency Aya Healthcare.
Carolina Arthritis Associates, North Carolina
Carolina Arthritis Associates in Wilmington, North Carolina, has confirmed via its legal counsel that it fell victim to a cyberattack in September 2024 that caused network disruption and potentially involved unauthorized access to patient data. Some of that data may have been copied by an unauthorized third party, including names, birth dates, treatment/procedure information, medical record numbers, provider names, and Social Security numbers.
The attack was detected on September 27, 2024, and the third party cybersecurity experts engaged to investigate the incident determined that files may have been exfiltrated on or around September 27, 2024. All exposed files were reviewed through programmatic and manual processes, which concluded on January 21, 2025. Individual notification letters were mailed to the affected individuals on February 27, 2025, and credit monitoring and identity theft remediation services have been made available to individuals whose Social Security numbers were involved. According to the notification sent to the Maine Attorney General, 36,961 individuals had their data compromised in the incident, including 3 Maine residents.
Aya Healthcare, California
The San Diego, California-based healthcare staffing agency, Aya Healthcare, has notified 3,187 individuals about a recent credential stuffing attack, where cybercriminals used lists of compromised credentials to access user accounts on its systems. These attacks are made possible due to credential reuse, where the compromised credentials for accounts on one platform are used to try to access accounts on an unrelated platform. There was no actual hacking of any Aya Healthcare systems.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
While most attempts were not successful, the automated attack on accounts did result in certain accounts being accessed. Aya Healthcare confirmed on January 29, 2025, that accounts were accessed between January 12 and January 19, 2025, and the types of information viewed or obtained in the attack included first and last names, addresses, email addresses, phone numbers, dates of birth, state nursing license numbers, vaccination statuses, and Social Security numbers. Aya Healthcare has found no evidence of misuse of the exposed information and has reset the passwords for the affected accounts. The affected individuals have been offered 24 months of complimentary credit monitoring and fraud remediation services.
Somnia, New York
Somnia, Inc., a New York-based provider of anesthesiology services, has discovered unauthorized access to its email environment. Suspicious email activity was identified on November 21, 2024, and third-party cybersecurity experts were engaged to investigate and determine the nature and scope of the activity. The investigation confirmed that a small number of employee email accounts were accessed by an unauthorized third party, and on December 10, 2024, it was confirmed that some of those accounts contained sensitive patient data.
The potentially compromised information included names plus one or more of the following: address, date of birth, diagnosis/condition/treatment information, health insurance information, and Social Security numbers. The HHS’ Office for Civil Rights has been given an interim total of at least 500 individuals as the email account reviews are ongoing. Credit monitoring services are being offered to the affected individuals who have been advised to be vigilant against identity theft and fraud for the next 12-24 months.
Jaime Schwartz MD, California
Jaime Schwartz MD, PC, a California-based plastic surgeon, has notified the California Attorney General about a June 2024 data breach involving unauthorized access to the practice’s medical billing and practice management system. The security breach was detected on June 27, 2024, and the forensic investigation confirmed that the system was accessed using a vendor’s compromised credentials.
The threat actor acquired sensitive data from that system, including first and last names, addresses, dates of birth, medical information, prescription medication information, patient images, and health insurance information. The practice is reviewing its technical safeguards and will be making enhancements to prevent similar breaches in the future. The affected individuals have been offered complimentary single bureau credit monitoring and credit score services.
This is not the first cyberattack to hit the practice. In 2023, the Hunters International cybercriminal group added the practice to its data leak site, claimed to have stolen 1.1TB of data, and threatened to contact patients directly about the theft of their data if the ransom was not paid. The group behind the latest attack is unclear, and it is not yet known how many individuals were affected.
