HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Data Breaches Reported by WV and CO Healthcare Providers and NJ Medical Billing Administrator

Charleston Area Medical Center Breach Affects 54,000 Patients

Charleston Area Medical Center (CAMC) in Charleston, WV, has recently announced it was the victim of a phishing attack in which the email accounts of some of its employees were accessed by unauthorized individuals. The email accounts were compromised between January 10 and 11, 2022. CAMC discovered the unauthorized access on January 10, steps were immediately taken to secure the affected accounts, and a leading cybersecurity forensics firm was engaged to investigate the breach.

An extensive review was conducted on the emails in the accounts to determine which patient information had potentially been accessed. That review was completed on March 16, 2022. The forensic investigation suggests the attacker was not attempting to access patient data, instead, the aim appeared to be to collect employee login information, but data theft could not be ruled out.

The types of data potentially accessed included first and last names, medical record numbers, and health information such as discharge dates, test results, and diagnostic and treatment information. CAMC said that less than 0.001% of the potentially affected population also had their Social Security numbers and/or financial account numbers exposed, although no access codes were compromised that would allow financial accounts to be accessed.

CAMC said affected individuals have been notified and technical security measures have been enhanced to prevent further data breaches in the future. The breach has been reported to the HHS’ Office for Civil Rights as affecting 54,000 individuals.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Advanced Medical Practice Management Sends Notification Letters About July 2021 Cyberattack and Data Theft Incident

The New Jersey medical billing administrator, Advanced Medical Practice Management (AMPM), has recently announced it was the victim of a cyberattack that involved the data of several of its healthcare provider clients. AMPM identified suspicious activity related to files within its IT environment on August 5, 2021, and immediately secured its network. The forensic investigation of the breach confirmed that unauthorized individuals had accessed and exfiltrated certain files between July 11, 2021, and July 13, 2021.

A comprehensive review was conducted on all files on its network that were potentially accessed or exfiltrated, then contact information was verified so that notifications could be issued. That process was completed on January 27, 2022, the affected clients were notified, and authorization was received to send notification letters. AMPM said individuals affected had one or more of the following types of data exposed or stolen from its systems:

Name, Social Security number, financial account information, driver’s license and/or state identification number, credit and/or debit card number, expiration date, and CVV number, date of birth, passport number, electronic signature information, medical record number, prescription information, Medicare number, Medicaid number, treatment location, physician’s name, diagnosis, health insurance information, and/or other medical treatment information.

AMPM said it has reviewed its policies and procedures and has implemented additional safeguards to prevent further data breaches in the future. The breach has recently been reported to the HHS’ Office for Civil Rights as affecting 56,427 individuals.

Colorado Physician Partners Reports Email Account Breach

Colorado Physician Partners (CPP), a network of primary care practices in the Denver area, has recently announced a breach of its email environment. On January 27, 2022, CPP learned that an individual using a foreign IP address had accessed the email account of a CPP employee.

The email account was immediately secured, and a third-party forensics firm was engaged to investigate the breach. By February 24, 2022, the investigation concluded, and it was determined the email account was compromised between January 25 and January 27, 2022. Because the access involved syncing, a copy of emails in the account may have been obtained by the hacker.

A comprehensive review of the emails in the account confirmed they contained the protected health information of 12,877 patients. In addition to names, the emails contained one or more of the following types of PHI: date of birth, Social Security number, home address, phone number, email address, dates and nature of services, billing and coding for services, insurance ID number, and in some cases, diagnoses, conditions, or medication.

CPP said it has enhanced its safeguards and changed the settings for how employees access their email accounts. Security awareness training has also been reinforced with its workforce. CPP has issued notification letters to affected individuals and is offering complimentary identity theft protection services.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.