HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Data Breaches Reported by Family of Woodstock and Viverant

Family of Woodstock (FOW), a New York provider of crisis intervention, information, prevention, and support services, has suffered a cyberattack in which the protected health information of 8,214 individuals was potentially compromised.

The cyberattack was detected on August 3, 2021, and rapid steps were taken to eject the attackers from its network and restore its systems and operations. Third-party forensic investigators were engaged to determine the nature and scope of the breach, with the initial phase of the investigation concluding on September 11, 2021.

FOW said the investigation confirmed the attackers had access to parts of its network that contained protected health information such as first and last names, addresses, telephone numbers, email addresses, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, medical history, diagnosis, treatment, condition, and health insurance information. At the time of issuing notifications, no evidence had been found indicating any attempted or actual misuse of information.

FOW has implemented additional cybersecurity safeguards, is enhancing its policies, procedures, and protocols, and is providing additional cybersecurity training to the workforce.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Physical Therapy Center Notifies 6,500 Patients of PHI Exposure

Viverant PT, LLC, a Minneapolis, MN-based physical therapy center, is notifying 6,500 current and former patients about a March 2021 cyberattack that exposed their protected health information.

The breach was detected on March 9, 2021, when suspicious emails were sent from an employee’s email account. The email account was immediately secured and steps were taken to address and contain the breach. A comprehensive review was conducted of its email environment, which confirmed only one email account had been breached but that it contained a wide range of sensitive data.

No evidence was found to indicate any attempted or actual misuse of patient data, but the possibility of data theft could not be ruled out. Viverant said the types of data in the account varied from individual to individual and may have included the following data elements: name, address, date of birth, Social Security number, driver’s license number, medical record number, date of service, diagnostic/treatment information, credit/debit card number with password or security code, health insurance information, financial account number with or without password or routing number, medications, username with security questions and answers, vehicle identification number (VIN), and digital signature.

Viverant said a leading security firm was engaged to assist with the investigation and response to the attack, and additional measures have been implemented to improve the security of its systems and practices. They include changing passwords, implementing more robust authentication, conducting further training of the workforce, and retaining national privacy and security experts to assist with ongoing security. Viverant said complimentary credit monitoring services have been offered to affected individuals.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.