Patient Data Compromised in Cyberattack on New York Women’s Healthcare Providers
Protected health information has been exposed in cyberattacks at Visiting Physician Services of Michigan, Physicians’ Primary Care of Southwest Florida, and Maternal Fetal Medicine Associates, Carnegie Hill Imaging for Women, Carnegie Women’s Health, and Equinox Inc. in New York.
Maternal Fetal Medicine Associates | Carnegie Hill Imaging for Women | Carnegie Women’s Health – New York
Patients of Maternal Fetal Medicine Associates, Carnegie Hill Imaging for Women, and Carnegie Women’s Health in New York have been affected by a security incident that involved unauthorized access and the potential theft of their personal and health information. The practices identified unauthorized access to their computer network on September 16, 2024, which the forensic investigation confirmed began on July 30, 2024, and lasted until September 16, 2024. During that time there was unauthorized access to files and certain files were downloaded without authorization; however, the threat actor did not access the electronic medical record database.
The file review is ongoing, so it has yet to be determined how many individuals have been affected. The data most likely compromised includes full names, addresses, dates of birth, driver’s license numbers, Social Security numbers, credit card information, bank account information, clinical diagnoses/conditions, lab results, and medications. Individual notification letters will be mailed to the affected individuals when the file review is completed. The OCR breach portal currently lists the incident as affecting at least 501 individuals.
Equinox, Inc., New York
Equinox, Inc., an Albany, NY-based support organization that provides domestic abuse, mental health, and youth services, has experienced a cyberattack that disrupted access to some of its network resources. The incident was detected on April 29, 2024, and the third-party forensic investigation determined that certain files on the network may have been accessed or downloaded.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The file review concluded on September 16, 2024, that the impacted files contained personal and protected health information such as names, addresses, dates of birth, Social Security numbers, driver’s license numbers/ other government identification numbers, passport numbers, financial account information, health insurance information, medical treatment/diagnosis information, and/or medication-related information. Individual notification letters were mailed to the affected individuals on November 15, 2024, and the breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 21,565 individuals.
Visiting Physician Services of Michigan
Visiting Physician Services of Michigan (VPS of MI), a home health service provider based in Farmington Hills, MI, has experienced a ransomware attack. The forensic investigation confirmed that an unauthorized actor had exfiltrated files from the network that contained patients’ protected health information.
The review of those files recently concluded and notification letters were mailed on November 15, 2024. The data involved varied from individual to individual and included names, Social Security numbers, and driver’s license numbers if that information was provided to VPS of MI. Other data potentially stolen include medical histories, mental/physical conditions and diagnoses, treatment information, disability information, prescription information, medical record numbers, health insurance information, and claims information.
VPS of MI said it is unaware of any misuse of the affected data but has advised patients to be vigilant against identity theft and fraud. Policies, procedures, and processes related to the storage and access of personal information are being reviewed. The HHS’ Office for Civil Rights breach portal lists the incident as affecting 20,604 individuals.
Physicians’ Primary Care of Southwest Florida
Physicians’ Primary Care of Southwest Florida (PPCSF) is investigating a security breach that was detected on September 17, 2024. The investigation determined that an unauthorized actor had accessed its network, with the access likely commencing on September 15, 2024. During those two days, patient data may have been viewed or acquired.
A programmatic and manual file review is ongoing to determine the individuals affected and the types of data involved. When that process has been completed, individual notifications will be mailed. Individuals whose Social Security numbers or driver’s license numbers were involved will be provided with complimentary credit monitoring and identity theft protection services. PPCSF has implemented 24/7 monitoring software on its network to prevent similar incidents in the future. A placeholder of 500 affected individuals is currently showing on the OCR breach portal. The Bianlian threat group claimed responsibility for the attack and added the stolen PPCSF data to its data leak site.
