Data Breaches Reported by Rebound Orthopedics, CCM Health, BCBST & Orsini Pharmaceutical Services
Data breaches have recently been reported by Rebound Orthopedics & Neurosurgery, CCM Health, BlueCare Plus Tennessee, and Orsini Pharmaceutical Services.
Rebound Orthopedics & Neurosurgery
Rebound Orthopedics & Neurosurgery in Vancouver, WA, has recently announced that it fell victim to a cyberattack on February 2, 2024. The attack was detected on February 3 when its computer systems went offline, including its patient and scheduling portals, and the outage lasted for more than 2 weeks. Computer forensics specialists were engaged to investigate the incident and confirmed that an unknown and unauthorized actor had accessed its network and viewed or copied files that were stored on its systems. A detailed review has been conducted of those files which confirmed that they contained patient information although no evidence was found to indicate any information in those files has been misused.
It is currently unclear what information was involved, as that information was not present in the sample notice provided to the Montana Attorney General. The incident has yet to appear on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected. Rebound Orthopedics & Neurosurgery said additional security measures have been implemented to prevent similar incidents in the future and complimentary credit monitoring services have been offered to the affected individuals for 24 months.
February 2025 Update: A February 4, 2025, breach notice to the California Attorney General clarifies the types of data involved. The information involved varies from individual to individual and may include names plus one or more of the following: medical information, health insurance information, Social Security numbers, financial account information, driver’s license numbers, passport numbers, and dates of birth. The incident has been reported to the HHS’ Office for Civil Rights as involving unauthorized access to the protected health information of 426,536 individuals.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
CCM Health
CCM Health in Montevideo, MN, has recently notified 28,760 individuals about a network security incident that involved some of their personal and health information. In a March 12, 2024, breach notice, CCM Health explained that there had been unauthorized access to its network between April 3, 2023, and April 10, 2023, and an unauthorized third party may have accessed and removed files containing their sensitive information.
A comprehensive review was conducted of all files on the compromised parts of the network that confirmed they contained full names, date of birth, Social Security numbers, medical information, and health insurance information. The exposed health information included medical record numbers, patient account numbers, prescription information, healthcare provider names, medical diagnoses, diagnosis codes, treatment types, treatment locations, treatment dates, admission dates, discharge dates, and/or lab results.
The file review was completed on February 12, 2024, and notification letters have now been sent to the affected individuals. Single bureau credit monitoring/single bureau credit report/single bureau credit score services have been provided to the affected individuals at no charge.
Update: CCM Health has discovered more individuals have been affected. The OCR breach portal still shows the breach as involving the protected health information of 28,760 individuals; however, a supplemental breach notice was sent to the Maine Attorney General in July 2024 indicating 85,258 individuals have been affected, including 5 Maine residents.
BlueCross BlueShield of Tennessee
BlueCross BlueShield of Tennessee, Inc. (BCBST) and Volunteer State Health Plan, Inc. which do business as BlueCare Plus Tennessee, have recently notified around 2,000 individuals about two security incidents that exposed their sensitive information.
BCBST said it identified suspicious login attempts to its member portal from outside the company on or around December 19, 2023. The attempts were made to log in using username and password combinations that came from an unknown source. The investigation found no evidence to suggest there had been a breach of BCBST systems, and it would appear that this was a credential stuffing attack, where username/password combinations that have been obtained in a third-party breach are used to try to log into accounts on other platforms.
The member portal was immediately disabled while the unauthorized activity was investigated, password security was enhanced, and third-party forensics experts were engaged to assist with the investigation. Between January 18 and January 24, 2024, BCBST learned that there had been a similar incident on August 7, 2023. The data potentially accessed in these two incidents included names, dates of birth, addresses, subscriber IDs, provider names, group numbers and names, plan information, medical information, claims information, and user IDs and passwords. For fewer than 1% of the affected individuals, financial information was also exposed. For individuals whose coverage ended more than two years ago the breached information only included IDs and passwords.
BCBST is implementing new login requirements and has notified the affected individuals and offered them identity monitoring services at no cost. They have also been asked to change their online account passwords when they sign in and to use a password that has not been used elsewhere. Two separate reports of data breaches have been logged by the HHS’ Office for Civil Rights that affected 1,251 and 790 individuals.
Orsini Pharmaceutical Services
Orsini Pharmaceutical Services in Illinois has recently discovered there has been unauthorized access to an employee’s email account. The breach was detected on January 10, 2024, and the investigation confirmed that a single email account was compromised between January 8 and January 10, 2024. The email account was reviewed to find out the types of information that had been exposed, which confirmed that the protected health information of 1,433 patients was present in the account, including names, addresses, dates of birth, medical record numbers, health insurance information, diagnoses, and/or prescription information.
Orsini Pharmaceutical Services did not find evidence to suggest that the attack was conducted to obtain patient data, but the possibility could not be ruled out. Additional safeguards and technical security measures have been put in place to further protect and monitor its systems, and the affected individuals have been notified and offered a complimentary 12-month membership to a credit monitoring service.
