25% off all training courses Offer ends May 8, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 8, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Data Breaches Reported by Mystic Valley Elder Services & St. Anthony Regional Hospital

Posted By on Oct 31, 2024

Mystic Valley Elder Services, a Malden, Massachusetts-based non-profit agency providing home and community-based care to elders and adults living with disabilities, has started issuing individual notifications about a cyberattack and data breach that was identified on April 5, 2024.

A digital forensics company was engaged to investigate the unauthorized activity and confirmed that there had been unauthorized access to its internal systems on April 5, 2024, during which time files may have been acquired. A review was conducted of all affected files which confirmed on July 11, 2024, that protected health information had been exposed. The data involved varied from individual to individual and may have included names, dates of birth, passport numbers, financial account numbers, payment card numbers, online credentials, taxpayer identification numbers, Social Security numbers, driver’s license numbers, health insurance information, and medical information.

Notification letters are now being mailed to the affected individuals and complimentary credit monitoring and identity theft protection services have been made available. Mystic Valley Elder Services said it is enhancing its technical safeguards to prevent similar breaches in the future. The HHS’ Office for Civil Rights shows two listings about this incident, one involving the records of 85,133 individuals in its capacity as a healthcare provider and a breach involving the protected health information of 2,402 individuals in its capacity as a business associate.

St. Anthony Regional Hospital, Iowa

St. Anthony Regional Hospital in Carroll, Iowa, has recently announced it fell victim to a cyberattack in August. Suspicious activity was identified within its network on August 26, 2024, and the forensic investigation confirmed there had been unauthorized access to a subset of its network between August 14, 2024, and August 28, 2024. During that time, the threat actor accessed or downloaded files on the network that contained patients’ protected health information.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

St. Anthony Regional Hospital said it is still reviewing the affected files to determine the patients and data involved but has confirmed that the breached information is likely to include names, addresses, dates of birth, Social Security numbers, financial information, and medical information such as diagnosis and treatment information. Notification letters will be mailed to the affected individuals when the investigation is concluded. St. Anthony Regional Hospital is unaware of any misuse of the affected information; however, patients have been advised to remain vigilant against incidents of identity theft and fraud by reviewing their account statements, credit reports, and explanation of benefits statements.

The breach has been reported to the HHS’ Office for Civil Rights using a placeholder figure of 501 affected individuals. The total will be updated when the file review has been completed.

Update: January 2025

While the number of affected individuals is still not known, St. Anthony Regional Hospital has recently confirmed that the data review has concluded and notification letters are being mailed to the affected individuals. The updated data breach notice on its website states that the exact data involved varies from individual to individual, and may include one or more of the following:

Full name, address, date of birth, Social Security number, driver’s license number, other government-issued identification numbers, payment card information, and financial account information. The following medical information may also have been impacted: billing/claims information, diagnosis code, doctor’s name, medical record number, mental or physical condition/treatment, medical device/serial number, biometric data, prescription information, disability information, treatment location, patient ID/account number, and beneficiary number. For certain individuals, health insurance information, including subscriber member number, group/plan number, policy number, beneficiary number, and Medicare/Medicaid IDs may have been affected.

 

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist