25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Cyberattacks on NY & OH Senior Care Providers Affect 181,000 Individuals

Posted By on Aug 19, 2024

Cyberattacks and data breaches have been reported by The New Jewish Home and Hamilton-Madison House in New York, Carespring Health Care Management in Ohio, Pocahontas Medical Clinic in Arkansas, and Wayne Memorial Hospital in Georgia.

The New Jewish Home, New York

Jewish Home Lifecare, doing business as The New Jewish Home in New York City, has notified the Maine Attorney General about unauthorized access to the personal and protected health information of up to 104,234 individuals.

The nonprofit senior health care system identified unauthorized access to its network on January 7, 2024. Assisted by third-party forensics experts, it was confirmed that an unauthorized third party accessed certain files on its network. The review of those files took until July 17, 2024, when it was confirmed that they contained sensitive information. The notification letter to the Maine Attorney General does not state what types of information were involved, and at the time of writing, there is no substitute breach notice on The New Jewish Home website. Individual notifications state the types of information that were compromised in the incident.

Notification letters were sent to the affected individuals on August 16, 2024, and those individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months. The New Jewish Home said steps have been taken to better protect the information in its care.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Carespring Health Care Management, Ohio

Carespring Health Care Management has reported a breach of the personal information of 76,719 individuals to the Maine Attorney General. Hackers had access to its network from October 12, 2023, to October 30, 2023, during which time they may have viewed or acquired files containing sensitive information.

The Ohio senior care provider said the attack impacted some of its operations on October 28, 2023, suggesting this was a ransomware attack. Carespring said third-party cybersecurity professionals were engaged to investigate the attack, and the document review was completed on July 16, 2024. Individual notification letters were mailed to the affected individuals on August 15, 2024, who were informed about the types of data involved. Complimentary credit monitoring services are being offered to the affected individuals.

Update: The breach was reported to the HHS’ Office for Civil Rights on August 15, 2024, as involving the protected health information of 64,609 patients, and to the Maine attorney general as involving the personal information of 76,719 individuals.

Pocahontas Medical Clinic, Arkansas

Pocahontas Medical Clinic, the operator of three health care clinics in Pocahontas and Corning in Arkansas, has confirmed that the protected health information of 31,216 current and former patients has been exposed and potentially stolen by hackers.

The cyberattack was discovered and blocked on May 30, 2024, the same day the hackers accessed its network. While the breach was rapidly detected and access to the network was promptly shut off, it is possible that sensitive data was viewed or stolen. The file review was completed on July 1, 2023, and after verifying contact information, notification letters were sent to the affected individuals on August 1, 2024. Pocahontas Medical Clinic said it is unaware of any misuse of patient data, but as a precaution, has offered all affected individuals complimentary credit monitoring services and identity theft protection services for 12 months.

The information involved varied from individual to individual and may have included names in combination with one or more of the following data elements: address, email address, phone number, date of birth, Social Security number, medical record number, diagnoses/conditions, treatment information, medications, and health insurance information.

Wayne Memorial Hospital, Georgia

Wayne Memorial Hospital in Jessup, GA, has confirmed that it has fallen victim to a ransomware attack. The attack was detected on June 3, 2024, when files were encrypted on its network. Immediate action was taken to prevent further unauthorized access, and data was restored from backups rather than paying the cybercriminal group behind the attack. The third-party forensic investigation confirmed that a ransomware group had access to its network between May 30, 2024, and June 3, 2024, during which time some of those files were exfiltrated by the group and used as part of the ransom demand. As previously reported by The HIPAA Journal, the Monti ransomware group claimed responsibility for the attack.

In its substitute website breach notice, Wayne Memorial Hospital said the review of the files is ongoing; however, the incident has now been reported to the HHS’ Office for Civil Rights as affecting 2,500 individuals. At the time of posting its substitute breach notice, Wayne Memorial Hospital was unaware of any misuse of the affected individuals’ data. Wayne Memorial Hospital has implemented new intrusion detection and response tools, performed a full password reset, and will continue to implement further security measures to improve security.

Update: September 2025: Wayne Memorial Hospital has confirmed that more than 163,000 patients were affected.

Hamilton-Madison House, New York

Hamilton-Madison House, a New York-based nonprofit provider of behavioral health and other services in New York City, has discovered unauthorized access to its network. Hackers had access to its network from December 24, 2023, to December 27, 2023. A forensic investigation was conducted followed by a manual document review, which confirmed on June 4, 2024, that files had been acquired that contained information such as full names, dates of birth, driver’s license and/ or state identification numbers, medical record numbers, health insurance identification numbers, and clinical/treatment information and, for a limited number for individuals, Social Security numbers.

Notification letters were mailed to the 1,114 affected individuals on August 1, 2024, and complimentary credit monitoring services have been offered to individuals whose Social Security numbers were involved. Security measures are being evaluated and enhanced to improve the privacy and security of the information it stores.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist