Cyberattack on Arizona Business Associates Affects 78,000 Individuals
Data breaches have been announced by Ottawa Family Physicians in Kansas, CPS Solutions in Ohio, Turning Point of Central California, The Phoenix Rehabilitation and Nursing Center in New York, and Primary Health-SMMPP & U.S. HEALTHWORKS-SMMPP in Arizona.
Primary Health-SMMPP & U.S. HEALTHWORKS-SMMPP
A data breach has recently been reported that has affected the HIPAA business associates Primary Health-SMMPP and U.S. HEALTHWORKS-SMMPP. Both business associates are based in Arizona and provide healthcare-related services, including the distribution of rapid COVID test kits to schools and organizations in Arizona and other states. On or around December 13, 2024, unusual activity was identified in a server operated by Primary Health-SMMPP. A third-party digital forensics company was engaged to investigate the unauthorized activity and confirmed that an unauthorized third party had breached its defenses and may have viewed or copied data stored on the server. The server was reviewed to identify the individuals affected and the types of data involved, and that process was completed on January 7, 2025.
The exposed data included names, dates of birth, Rx Numbers, Rx Information, dates of service, and/or Social Security numbers. Complimentary credit monitoring and identity theft protection services are being offered for between 12 and 24 months. The breach was reported to the HHS’ Office for Civil Rights by Primary Health-SMMPP as affecting 67,567 individuals and by U.S. HEALTHWORKS-SMMPP as affecting 10,673 individuals.
Ottawa Family Physicians
Ottawa Family Physicians in Kansas has fallen victim to a cyberattack. Unusual activity was identified in its computer systems on December 15, 2024. Systems were secured and a third-party digital forensics firm was engaged to investigate the activity. The investigation confirmed that unauthorized individuals had access to its network for 6 days between December 10, 2024, and December 15, 2024.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The review of the exposed files is ongoing and while the exact types of data involved have yet to be confirmed, the data likely involved includes full names, addresses, dates of birth, and medical information. The exposed medical information is likely to include diagnoses/conditions, lab results, medications, and other treatment information. Ottawa Family Physicians said it plans to update its privacy and security safeguards to enhance protections. Since the extent of the data breach has yet to be determined, the incident has been reported to the HHS’ Office for Civil Rights using an interim figure of 501 affected individuals. The total will be updated when the investigation concludes.
CPS Solutions
CPS Solutions, an Ohio-based vendor that provides support to pharmacy operations, has recently announced a cybersecurity incident that may have involved individuals’ protected health information. On December 4, 2024, CPS Solutions identified unauthorized access to an employee’s Office 365 business email account. The account was immediately secured, and the unauthorized activity was investigated. The investigation confirmed that the unauthorized third party was able to access and remove data from the account between December 2 to December 4, 2024. No other systems were affected.
The review of the account was completed on January 24, 2025, when it was confirmed that the compromised information included names plus one or more of the following: date of birth, address, health insurance information, Medicaid/Medicare numbers, medical record numbers, patient account numbers, clinical information, provider information, diagnosis/treatment information, and/or prescription information, and a limited amount of Social Security numbers. CPS Solutions works with many HIPAA-covered entities and has notified all affected customers about the data breach and is coordinating with them to provide notice to the affected individuals. Security controls and monitoring capabilities are being enhanced, and systems are being hardened to strengthen security. The breach was reported to the HHS’ Office for Civil Rights using an estimate of at least 500 individuals. The total will be updated when the final total is known. The affected individuals are being offered two years of credit monitoring and identity theft protection services.
Turning Point of Central California
Turning Point of Central California, a provider of social services and rehabilitation programs to individuals and families in California, has reported a data breach to the California Attorney General. The incident was detected on May 31, 2024, when suspicious network activity was detected. The third-party forensic investigation confirmed that its systems had been accessed by an unauthorized individual, and on June 12, 2024, it was determined that client information may have been copied from its network.
The review of the affected information is ongoing, additional security controls are being implemented, and individual notifications will be mailed to the affected individuals when the review is concluded. Individuals whose Social Security numbers were involved will be offered complimentary credit monitoring and identity theft protection services. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
The Phoenix Rehabilitation and Nursing Center
Atlantis Operating, doing business as The Phoenix Rehabilitation and Nursing Center in New York, has had the personal data of patients exposed in a security incident at one of its third-party vendors. The forensic investigation confirmed that the incident most likely started on July 20, 2024, and the vendor notified Phoenix about the incident on or around September 19, 2024. Phoenix has been working with the vendor to determine the individuals affected and the types of data involved.
Phoenix said the exposed data is limited to names, addresses, medical information, and in some instances, Social Security numbers. At the time of the announcement about the data breach, Phoenix was unaware of any misuse of the impacted data. Notification letters were mailed to the affected individuals on January 28, 2025, and steps have been taken to strengthen security by Phoenix and its vendor. The HHS’ Office for Civil Rights breach portal indicates 6,459 individuals were affected.
