Cyberattacks Reported by Schneck Medical Center, NuLife Med, & FPS Medical Center

The Manchester, NH-based medical equipment company, NuLife Med LLC, has recently announced it was the victim of a cyberattack in March 2022. Suspicious network activity was detected on or around March 11, 2022, and steps were immediately taken to prevent further unauthorized network access. An investigation was launched to determine the nature and scope of the attack and to allow its network and systems to be restored. The investigation confirmed that unauthorized individuals had accessed its network between March 9 and March 11, 2022, and potentially viewed and exfiltrated files from its systems.

It was not possible to determine which files had been viewed or removed from its systems, nor the exact number of files that had been accessed or exfiltrated. Notification letters have therefore been sent to all individuals potentially affected. The review of the files revealed they mostly contained protected health information such as names, addresses, medical information, and/or health insurance information. A limited number of individuals have also had their Social Security numbers, driver’s license information, and/or financial account or credit card information exposed.

NuLife Med said it is currently reviewing records to try to determine which individuals have had information beyond medical and/or health insurance information impacted, and additional notifications will be sent to those individuals when the breach investigation has concluded. NuLife said no reports have been received to date to indicate any patient information has been misused.

The data breach has been reported to the HHS’ Office for Civil Rights as affecting 81,244 individuals.

Ransomware Attack Affects 28,000 FPS Medical Center Patients

FPS Medical Center in Lake Havasu City, AZ, has recently announced it was the victim of a malware incident that encrypted files on its network. The security breach was detected on March 3, 2022, with the subsequent investigation determining its systems were first breached on February 28, 2022. Unauthorized access was blocked on March 3, 2022.

A forensic investigation was conducted to determine whether patient information was accessed or exfiltrated, but it was not possible to tell if any files had been viewed or downloaded, although the possibility of unauthorized access and data theft could not be ruled out.

A review was conducted of all files on the parts of the network that were affected, which concluded on April 25, 2022. The files contained full names, addresses, birth dates driver’s license information, medical information such as treatment and diagnosis information, health insurance information, and limited Social Security numbers.

Notification letters have now been sent to the 28,024 patients whose protected health information has potentially been compromised. FPS Medical Center said it is reviewing its policies and procedures and will implement additional administrative and technical safeguards to further secure the information in its systems.

Schneck Medical Center Announces Cyberattack and Data Theft Incident

Schneck Medical Center in Seymour, IN, has started notifying certain patients that some of their protected health information was contained in files that were exfiltrated from its systems.

The medical center did not state in its notification whether the security incident was detected but said an extensive forensic investigation and manual document review were conducted which determined on March 17, 2022, that files had been exfiltrated from its systems on or around September 29, 2021.

The files contained names along with one or more of the following data types: Address, date of birth, medical record number, other internal identification numbers, driver’s license/state identification numbers, medical diagnosis, and conditions information, and health insurance/claims information. The files also contained limited Social Security numbers, financial account information, and payment card information.

Schneck Medical Center said no evidence was found to indicate any actual or attempted misuse of patient data; however, as a precaution, individuals potentially at risk have been offered complimentary credit monitoring services. Notification letters were sent to affected individuals on May 13, 2022.

A review has been conducted of its security systems, policies, and procedures, and additional security measures are being implemented to prevent similar incidents in the future.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 92,311 individuals.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.