Data Breaches Reported by Aesto Health and Motion Picture Industry Health Plan

Aesto Health, a Birmingham, AL-based software company that provides solutions to help healthcare enterprises and medical providers exchange, organize, and protect patient information, has announced it recently experienced a cyberattack that caused disruption to certain internal IT systems.

The security breach was detected on March 8, 2022, and steps were immediately taken to prevent further unauthorized access to its systems. A third-party computer forensics company was engaged to assist with the investigation, which confirmed that an unauthorized individual had access to the affected systems from December 25, 2021, to March 8, 2022.

During that time frame, certain files were exfiltrated from a backup storage device, which include radiology reports from Osceola Medical Center (OMC) in Wisconsin. A review of the affected files confirmed they contained patients’ protected health information, including names, dates of birth, physician names, and report findings related to radiology imaging at OMC. No Social Security numbers or financial information were viewed or stolen, and OMC systems and electronic medical records were unaffected. Aesto Health said additional safeguards and technical security measures have been implemented to further protect and monitor its systems.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 17,400 patients.

Motion Picture Industry Health Plan Informs Members of Unauthorized PHI Disclosure

The Motion Picture Industry Health Plan (MPIHP) has announced that the protected health information of 16,838 plan members has been impermissibly disclosed in a mis-mailing incident. On March 31, 2022, MPIHP discovered an error with a mailing that saw information about plan members sent to incorrect mailing addresses. In each case, a letter intended for one MPIHP member was sent to an incorrect MPIHP member.

No medical information or health claims information was included in the letters, only name, address, hours worked, the last four digits of the individual’s Social Security number, and recent dates of eligibility. Notification letters have now been sent to all affected individuals to the last address provided by those participants. Affected individuals have been offered complimentary identity monitoring services for one year. MPIHP said the exact source of the error has been identified and steps have been taken to prevent any repeat mis-mailing incidents.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.