20,000-Record Data Breaches Reported by Axis Health System & Gandara Mental Health Center
Data breaches have recently been announced by Axis Health System in Colorado, Gandara Mental Health Center in Massachusetts, Valleygate Dental Surgery Centers in North Carolina, and Family Medical Center in Maryland.
Axis Health System
Southwest Colorado Mental Health Center, doing business as Axis Health System, has discovered unauthorized access to its computer systems. Suspicious activity was detected on August 26, 2024, and steps were immediately taken to contain the incident. The forensic investigation confirmed that an unauthorized third party had access to its internal network between July 9, 2024, and September 4, 2024. During that time, there may have been unauthorized access to files containing patient information and that information may have been exfiltrated.
The file review confirmed that the protected health information of 23,385 patients had been exposed. The affected information varied from individual to individual and may have included one or more of the following: names, addresses, dates of birth, phone numbers, email addresses, Social Security numbers, driver’s license numbers/state-issued ID numbers, other identification numbers, claims numbers, account numbers, billing codes, health insurance information, and health information including diagnoses, test results, medical images, treatment information, doctors’ names, and medical record numbers.
Axis Health System said it is unaware of any misuse of the affected information but has taken the precaution of providing complimentary credit monitoring and identity theft protection services to the affected individuals. Policies and procedures are being reviewed and additional security measures are being implemented.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Gandara Mental Health Center
The Springfield, MA-based mental health service provider, Gandara Mental Health Center, detected unauthorized activity within its computer systems on June 20, 2024. Immediate action was taken to prevent further unauthorized access and third-party cybersecurity professionals were engaged to investigate the unauthorized activity. The investigation confirmed that files containing patient data were exfiltrated in the attack. On October 1, 2024, Gandara confirmed the names of the individuals involved. The types of data involved varied from individual to individual and included names, addresses, dates of birth, driver’s license numbers, Social Security numbers, medical treatment/diagnosis information, and health insurance information.
Individual notifications were mailed to the individuals for whom Gandara held contact information on October 24, 2024, and all individuals affected by the incident have been offered complimentary identity protection services. The intrusion was reported to the Federal Bureau of Investigation and regulators were notified. The breach report sent to the HHS’ Office for Civil Rights confirms that 20,024 current and former patients were affected.
Valleygate Dental Surgery Centers
Valleygate Dental Surgery Centers of Charlotte, Fayetteville, and the West in North Carolina, have provided an update on a cyberattack that was detected on November 17, 2023. Valleygate Dental Surgery Centers posted an initial breach notice on its website on December 29, 2023, which confirmed that the personal and protected health information of certain patients was involved; however, at the time of that notification, the investigation was still ongoing and the affected individuals and the types of data involved had yet to be confirmed.
In its updated breach notice, Valleygate Dental Surgery Centers confirmed that the investigation revealed on September 17, 2024, that 14,589 patients had been affected. The types of data involved varied from individual to individual and included one or more of the following: Full name, patient identification number, provider name, medical treatment/procedure information, mental/ physical condition, health insurance policy number, Medicaid/Medicare number, Social Security number, government-issued identification number, financial account information, mother’s maiden name, digital/ electronic signature, address, date of birth, birth certificate, chart number, telephone number, fax number, and/or email address.
Individual notification letters were mailed to the affected individuals on October 17, 2024. At the time of issuing those notifications, Valleygate Dental Surgery Centers was unaware of any misuse of the affected information. Valleygate Dental Surgery Centers also confirmed that it is working with cybersecurity experts to evaluate and enhance its practices and internal controls.
Family Medical Center
Family Medical Center in Mount Airy, MD, has notified 2,100 patients that their protected health information was stolen in a March 2023 ransomware attack. The intrusion was detected on March 9, 2023, when ransomware was used to encrypt files. Steps were immediately taken to contain the incident, and cybersecurity experts were engaged to investigate the breach. In a September 3, 2024, media notice, Family Medical Center said law enforcement was notified about the attack, and the affected system was turned over to the authorities to confirm that there had been no breach of patient data.
Family Medical Center received confirmation that data had been stolen, but since the data was encrypted it could not be accessed. The Department of Health and Mental Hygiene and the FBI both confirmed there had been no breach, after which authorization was provided to pay the hackers for the keys to decrypt the locked files. Systems and data have now been restored and additional safeguards have been implemented to strengthen security.
