25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Data Breaches Reported by University Urology and McPherson Hospital

Posted By on May 10, 2023

University Urology – Hacking Incident

University Urology in New York City has started notifying 56,816 individuals that unauthorized individuals gained access to some of its systems and potentially obtained their personal and health information. Suspicious activity was detected within its computer systems on February 1, 2023, and third-party cybersecurity experts were engaged to conduct a forensic analysis of the incident to determine the nature and scope of the attack. The investigation concluded on March 3, 2023, that files within its network were accessed. A manual review of those files was conducted and concluded on March 30, 2023. Contact information was then verified, and notification letters were sent on May 1, 2023.

The types of information that were exposed varied from individual to individual and may have included first and last name, date of birth, address, medical condition, medical treatment, test results, prescription information, health insurance information, subscriber ID number, health plan beneficiary number, billing/invoice information, and username/email address plus passwords/security questions and answers that would allow account access.

University Urology said Sentinel One agents were deployed for 30 days, which allowed the cybersecurity firm to monitor its environment for malicious activity and indicators of compromise. It has now been confirmed that all methods of persistence, unauthorized remote access tools, and malicious files have been removed from its systems, and additional security measures have now been implemented.

While there have been no reported cases of actual or attempted misuse of the exposed data, complimentary credit monitoring and identity theft protection services have been offered to affected individuals for 12 or 24 months.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

McPherson Hospital – Ransomware Attack

McPherson Hospital in Kansas has recently issued notification letters to 19,020 patients to alert them about a July 2022 ransomware attack. According to the breach notifications, third-party cybersecurity experts were engaged to investigate the data breach to determine the extent of the unauthorized activity and help with securing its systems. The internal investigation concluded on March 15, 2023, that patient data may have been acquired, including names, dates of birth, Social Security numbers, medical treatment information, billing information, and health insurance information. Notification letters were sent in early May, almost 10 months after the attack.

Affected individuals have been offered complimentary single-bureau credit monitoring services. McPherson Hospital said its technical safeguards have been reviewed and enhanced to prevent similar incidents in the future.

Catholic Health – Unauthorized Access by Employee of Business Associate

Catholic Health in New York has recently announced that the protected health information of some of its long-term care residents has been exposed in a security breach at one of its business associates, Minimum Data Set Consultants (MDS). MDS launched an investigation into a potential data breach in March 2023 after discovering suspicious system activity.

The investigation confirmed that an unauthorized individual accessed patient data on or around August 27, 2022, such as names, birthdates, Social Security and Medicare numbers, and diagnosis information. The unauthorized access was traced to a former employee. MDS has confirmed that that individual no longer has access to the system and that the matter has been reported to law enforcement, which has launched an investigation. While patient data is not believed to have been accessed with a view to committing identity theft or fraud, affected individuals have been told to monitor their accounts for suspicious activity.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 12,759 individuals.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist