Data Breaches Reported by Rady Children’s Hospital, Aveanna Healthcare and Endeavor Energy Resources

Share this article on:

Rady Children’s Hospital-San Diego, the largest children’s hospital in California, discovered a security breach on January 3, 2020 in which the protected health information of certain patients was potentially accessed by an unauthorized individual.

A computer used by the radiology department had been remotely accessed by an unauthorized individual via an open internet port. A digital forensics firm was engaged to investigate the breach and determined that the computer was compromised on June 20, 2019 and access remained possible until the port was closed on January 3, 2020.

An analysis of the compromised device revealed on February 5, 2020 that names and genders of patients were potentially compromised along with the type and date of imaging studies and, for some patients, their date of birth, medical record number, referring physician’s name, and/or a description of the imaging study. No financial information, Social Security numbers, diagnoses, or medical images were compromised. Complimentary credit monitoring services have been offered to affected patients.

Rady Children’s Hospital is working closely with the digital forensics firm to determine what additional security measures are required to prevent further cyberattacks in the future.

Multiple Email Accounts Breached in Aveanna Healthcare Phishing Attack

Atlanta, GA-based Aveanna Healthcare, the largest provider of pediatric home care in the United States, has discovered the email accounts of several employees were compromised over the summer of 2019.

Aveanna Healthcare first identified suspicious activity in the email accounts of some of its employees on August 24, 2019. Third-party computer forensics specialists were engaged to assist with the investigation and determine the nature and extent of the attack. The investigation revealed several email accounts were compromised between July 9, 2019 and August 24, 2019. It was not possible to determine if any patient information was accessed or stolen by the attackers. The review of the compromised email accounts was completed on December 19, 2019.

The breach report submitted to the California Attorney General shows 5,004 California residents were affected. It is currently unclear how many patients in other states have also been affected. Californian patients were notified about the breach on February 14, 2020 and were offered complimentary credit monitoring and identity theft protection services for 12 months through TransUnion. Aveanna Healthcare determined that the following information of California residents was contained in the accounts: Names, Social Security numbers, driver’s license numbers, bank and financial information, State ID numbers, medical information, and health insurance information.

The HHS’ Office for Civil Rights breach portal indicates 166,077 patients were affected by the attack.

Endeavor Energy Resources Phishing Attack Impacts 5,100 Individuals

The oil and gas exploration form, Endeavor Energy Resources, has announced it has experienced a phishing attack that potentially saw unauthorized individuals gain access to the personal and health information of 5,103 current and former employees.

The attack was detected on January 14, 2020 when unusual activity was detected in the Office 365 email account of one of its employees. On February 7, 2020, Endeavour determined the compromised email account contained the names and health plan ID numbers of current and former Endeavor employees, employees of Endeavor affiliates, and dependents who also participate in the health plan.

Steps have now been taken to improve email security to prevent similar attacks in the future. At this stage of the investigation, Endeavor has found no evidence to suggest any information in the account has been misused.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On