Data Breaches at Business Associates Affect LifeLong Medical Care & Beaumont Health Patients

LifeLong Medical Care, a Californian healthcare provider serving patients in Alameda, Contra Costa, and Marin Counties, has notified certain patients whose protected health information was impacted in a ransomware attack on the third-party vendor Netgain Technologies. The breach has been reported to the HHS’ Office for Civil Rights as involving the PHI of 115,448 patients.

Netgain Technologies discovered a security breach on November 24, 2020 involving ransomware. An internal investigation into the breach determined on February 25, 2021 that the attackers had accessed and obtained files containing the information of its customers. The attackers first breached its systems on November 15, 2020.

LifeLong Medical Care said it launched a comprehensive investigation into the breach and discovered on August 9, 2021 that the personal and protected health information of patients was accessed and/or exfiltrated from Netgain’s network. Affected patients had their full name compromised along with one or more of the following data elements: Social Security number, date of birth, patient cardholder number, and/or treatment and diagnosis information.

Affected individuals started to be notified about the breach on August 24, 2021, 9 months after the breach occurred. LifeLong Medical Care said it is not aware of any cases of identity theft or improper use of patient data as a result of the incident but has recommended patients whose Social Security number was compromised take advantage of the complimentary credit monitoring services that have been offered.

“As part of LifeLong Medical Care’s ongoing commitment to the security of information, we are working with our third-party vendors to enhance security and oversight.,” explained LifeLong Medical Care in its August 24, 2021 breach notification letter.

Beaumont Health Notifies Patients Whose PHI was Compromised in the January 2021 Accellion Data Breach

Beaumont Health, the largest healthcare provider in Michigan, announced on August 27, 2021 that the protected health information of some of its patients was compromised in the January 2021 extortion attack on Accellion. Beaumont Health said it was notified by Goodwin Proctor LLP on February 5, 2021 that patient data had been compromised in the attack. Goodwin Proctor had used the Accellion File Transfer Appliance for sending large files between clients, one of which was Beaumont Health.

Goodwin Proctor had received files containing the personal and protected health information of patients of Beaumont Health in connection with the legal services provided by the law firm. The investigation into the breach determined that files on the Accellion appliance were downloaded by the threat actor on January 20, 2021 after a vulnerability was exploited. The threat actor, who had links to the Clop ransomware gang, then attempted to extort money to prevent the release/sale of the stolen data.

Beaumont Health said “Goodwin notified Beaumont of the Accellion security incident after determining that the information removed by the threat actor may have contained Beaumont patient information. Beaumont subsequently conducted its own independent analysis of the information impacted by the Accellion incident and discovered on June 28, 2021 that the impacted information contained some patient health information of some Beaumont patients.”

The PHI of 1,568 patients was compromised in the breach, which included patient names, procedure names, physician names, internal medical record numbers, and dates of service.

Beaumont Health said it has not received any reports of misuse of that information, and neither has Goodwin Proctor. Goodwin Proctor issued notification letters to affected individuals on behalf of Beaumont Health commencing on August 27, 2021.  Goodwin Proctor said it has terminated use of the Accellion File Transfer Appliance and is now further evaluating its data security policies and procedures.

This is the latest in a string of data breaches to affect Beaumont Health. In late 2019, Beaumont Health discovered a 20-month insider data breach that affected 1,182 patients, reported a phishing attack in April 2020 that affected 112,000 patients, and a second phishing related breach was reported in July 2020 as affecting 6,000 patients.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.