Cyberattacks Reported by Medjet; Angels Neurological Centers; Native American Health Center
Cyberattacks and data breaches have been reported by Medjet/MedjetAssist in Alabama, Native American Health Center in California, and Angels Neurological Centers in Massachusetts.
Medjet/MedjetAssist
Medjet and MedjetAssist (Medjet), a Birmingham, AL-based air medical transport and travel security membership program, has announced that a threat actor installed malware on its network that rendered certain systems unavailable. The attack was detected on October 17, 2023, and the forensic investigation confirmed on December 5, 2023, that the threat actor may have acquired files from the network during the period of access.
A review was conducted to determine which files may have been copied from its systems, and that process was completed on or around May 10, 2024. The exposed information included names, addresses, and Social Security numbers. Medjet said it is unaware of any actual or attempted misuse of client information at the time of issuing notifications.
Notification letters started to be sent on January 5, 2024; however, as the investigation progressed it became clear that other information had potentially been affected and further notifications were mailed on June 3, 2024. The notification to the Maine Attorney General indicates the information of 14,400 clients was exposed, including 9 Maine residents. The affected individuals have been offered 12 months of credit monitoring and identity theft protection services. Medjet implemented complex password requirements and multifactor authentication before the incident and will continue to review its cybersecurity measures to look for further ways to strengthen security.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Native American Health Center, California
Native American Health Center, a nonprofit Federally Qualified Health Center serving the native community in the California Bay Area, suffered a cybersecurity incident on November 19, 2023. Prompt action was taken to secure its network and third-party cybersecurity experts were enlisted to investigate the incident. In January, the forensic investigation confirmed that files had been accessed by an unauthorized actor, and a comprehensive review was conducted to determine what information was involved.
The review was completed on May 28, 2024, and Native American Health Center was provided with a list of the affected individuals and the types of data involved. The compromised information was limited to names, dates of birth, and medical information. Social Security numbers were not compromised; however, out of an abundance of caution, the affected individuals have been offered complimentary Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services.
Native American Health Center said it had implemented multifactor authentication for all logins, and is now working to extend the deployment of a system that replaces passwords with fingerprint scans/badge taps, which has recently been trialed in selected departments. All hard drives have been replaced and annual HIPAA privacy and security assessments will continue to be conducted as well as annual reviews of policies, procedures, and employee training programs concerning cybersecurity. The breach has been reported to regulators but is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
Angels Neurological Centers, Maine
On April 9, 2024, Angels Neurological Centers in Massachusetts identified suspicious activity in its computer systems. Steps were immediately taken to contain the attack and prevent further unauthorized access and third-party cybersecurity professionals were engaged to investigate the incident. The forensic investigation identified unauthorized access to files containing patient information on limited occasions between March 3, 2024, and April 9, 2024.
The information involved varied from individual to individual and may have included names in combination with one or more of the following: address, birth date, medical record number, patient identification number, provider or facility name, medical condition, diagnosis, treatment information, medication/prescription information, payment amount history information, insurance payment amount information, date(s) of service, medical information, health insurance information, driver’s license number or state identification number, Social Security number, and other information disclosed or created in the course of providing health care services. The affected individuals were notified by mail on June 5, 2024. The breach notification to the Maine Attorney General indicates that 934 individuals have been affected.
