Data Breaches Reported by Gainwell Technologies, TaylorMade Diagnostics, and Mattapan Community Health Center

Gainwell Technologies has discovered unauthorized individuals have potentially accessed the information of certain participants of Wisconsin’s Medicaid program, which was stored in emails and email attachments in a compromised account.

Access to the email account was first gained on October 29, 2020 and continued until November 16, 2020. The account contained information such as names, member ID numbers, and billing codes for services. Approximately 1,200 Wisconsin Medicaid members have been affected. Affected individuals have been offered a 1-year complimentary membership to credit monitoring services.

Gainwell provides fiscal-agent services for the Wisconsin Department of Health Services (DHS) Medicaid Program. Since the breach occurred, the DHS and Gainwell have worked together to prevent similar breaches in the future.

This is the second incident to be reported as having affected Gainwell in recent weeks. Gainwell operates the Medicaid Management Information System used by the Tennessee state Medicaid health plan, TennCare. Gainwell discovered an error at a mailing vendor resulted in mailings being sent to incorrect addresses between 2019 and 2020. The two incidents are not related.

Email Account Breach Reported by Mattapan Community Health Center

Mattapan Community Health Center (MCHC) is notifying 4,075 patients that some of their protected health information was contained in an email account that was accessed by unauthorized individuals.

Unusual email account activity was detected on October 16, 2020. Assisted by a third-party computer forensics firm, MCHC determined the email account was compromised on July 28, 2020. Through a manual and programmatic review of the email account, MCHC determined the following information may have been accessed by unauthorized individuals: Names, Social Security numbers, medical diagnoses, treatment information, provider information, health insurance information, and/or medical record numbers.

Additional security measures have now been implemented to prevent further email security breaches.

Conti Ransomware Gang Leaks Data Stolen in Attack on TaylorMade Diagnostics

Chesapeake, VA-based TaylorMade Diagnostics, an operator of occupational health clinics used by transportation companies and government agencies, has suffered a ransomware attack that has resulted in workers’ health data being leaked online.

Approximately 3,000 files stolen by the ransomware gang prior to file encryption have been published on a darknet leak site operated by the Conti ransomware gang. The leaked data relates to employees of Taylor Made Diagnostics clients, including the United Parcel Service and Norfolk Southern Railroad. The leaked data includes details of medical examinations, drug and alcohol testing reports, and full names, Social Security numbers, and scans of driver’s licenses.

Hendrick Health Provides Update on November 2020 Ransomware Attack

Hendrick Health has provided further information on a ransomware attack that forced it to adopt EHR downtime procedures in November 2020. The attack was detected on November 20, 2020 and steps were immediately taken to contain the attack. The investigation into the incident has revealed the attackers first gained access to its systems on October 10, 2020 and potentially viewed or obtained patient information between that date and November 9, 2020.

The types of data that may have been accessed included patients’ names, Social Security numbers, demographic data, and other information related to the care provided by Hendrick Health. The incident only affected patients who had previously received medical services at Hendrick Medical Center or the Hendrick Clinic. The locations at Hendrick Medical Center Brownwood and Hendrick Medical Center South were not affected.

The ePHI of 640,436 patients was stored on the compromised systems. Data security measures and system monitoring have now been strengthened and new features have now been added to its security alert software.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.