December 14, 2023, Healthcare Data Breach Round Up
A round-up of healthcare data breaches that have recently been reported to the HHS’ Office for Civil Rights and State Attorneys General.
PHI Compromised in Cyberattack on Regional Family Medicine
Regional Family Medicine in Mountain Home, AR, has recently notified the Maine Attorney General about a data breach that involved the personal and protected health information of 80,166 individuals. An IT outage was experienced on June 26, 2023, which prevented access to certain local systems. Third-party cybersecurity experts were engaged to investigate the incident and confirmed there had been unauthorized access to its network between June 8 and June 26, 2023.
The parts of the network that were compromised contained files that included information such as names, Social Security numbers, driver’s license or state identification numbers, dates of birth, biometric data, medical information, health insurance information, account numbers, and workplace evaluations. Following the attack, Regional Family Medicine enhanced its security measures to prevent similar breaches from occurring in the future. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.
Florida Community Care Affected by MOVEit Hack at ILS
Florida Community Care, LLC, a Miami-Dade County, FL-based health plan has recently confirmed that information of 30,891 of its members was compromised when a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution was exploited. Progress Software released a patch for the flaw on May 31, 2023, however, the flaw had already been exploited.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The MOVEit Transfer tool was used by its business associate, Independent Living Systems. No Florida Community Care systems were compromised. The compromised information included names, subscriber numbers, and policy numbers. Independent Living Systems is notifying the affected individuals and is offering complimentary credit monitoring and remediation services.
Email Account Breach Reported by Neuromusculoskeletal Center of the Cascades
The protected health information of 22,328 patients of the Neuromusculoskeletal Center of the Cascades and the Cascade Surgicenter in Oregon has been exposed and potentially obtained by unauthorized individuals. Suspicious activity was identified in an employee’s email account on October 3, 2023. The investigation revealed multiple email accounts had been compromised between October 2, 2023, and October 3, 2023.
The review of the email accounts was completed on November 21, 2023, and confirmed they contained patient names along with one or more of the following: address, phone number, email address, date of birth, Social Security number, driver’s license/state ID number, financial account number, routing number, financial institution name, credit/debit card information, treatment/diagnosis information, prescription information, provider name, medical record number, Medicare/Medicaid ID number, health insurance information, treatment cost, and/or digital signature. Email security policies and procedures have been reviewed and updated and credit monitoring and identity theft protection services have been offered to the affected patients.
PHI Exposed in Phishing Attack on The Amani Center
Columbia County Child Abuse Assessment Center, which does business as The Amani Center in Oregon, identified suspicious activity in an employee email account on August 18, 2023. The investigation revealed several email accounts had been compromised in the attack, which affected several businesses and organizations in its community and resulted in unauthorized access to accounts between August 7, 2023, and August 18, 2023.
The review of the accounts was completed on October 19, 2023, and confirmed the following information had been exposed: names, medical information, medical record numbers, health insurance information, Social Security numbers, driver’s license numbers, financial account information, treatment/diagnosis information, prescription information, medical record/patient ID numbers, health insurance information, treatment cost information, or other information provided to The Amani Center.
No evidence of misuse of patient data has been found, and while the risk of data misuse is believed to be low, complimentary credit monitoring and identity protection services have been offered to the affected individuals. The breach was reported to the Office for Civil Rights as affecting 2,374 individuals.
The Children’s Home of Wyoming Conference Email Breach
The Children’s Home of Wyoming Conference in Binghamton, NY, a provider of community services to children and families, identified suspicious activity in two employee email accounts on June 13, 2023. After securing the accounts, the affected mailboxes were reviewed, and on September 12, 2023, it was confirmed that one of those accounts contained protected health information.
The affected individuals had previously received medical treatment from the Children’s Home of Wyoming Conference. The exposed information included names, dates of birth, Social Security numbers, addresses, medical record numbers, patient account numbers, health insurance information, diagnosis and treatment information, clinical and prescription information, and/or provider information. Notification letters were sent on November 10, 2023, along with information to help those people prevent any misuse of their data. The breach was reported to the Office for Civil Rights as affecting 1,111 individuals.
