December Healthcare Data Breach Round-Up
Data breaches have been reported by Cardiothoracic and Vascular Surgeons, ZOLL Medical Corporation, Erie Family Health Centers, Health Diagnostic Management, BlueCross BlueShield of Tennessee, and Rush System for Health.
Cardiothoracic and Vascular Surgeons Investigating Cyberattack
Cardiothoracic and Vascular Surgeons in Texas discovered on October 13, 2023, that its systems had been accessed by an unauthorized individual. The forensic investigation confirmed there had been unauthorized access to its IT systems between October 12 and October 13, 2023, and during that time, an unauthorized third party may have viewed or obtained files containing patient information.
The review of the affected files is still ongoing, but the following types of information are anticipated to have been exposed: individuals’ names, Social Security Numbers, credit card information, account numbers and passwords, financial account information, driver’s licenses, dates of birth, medical record numbers, health insurance information, patient account numbers, doctors’ or medical professionals’ names, treatment information, procedure codes, diagnosis codes, Medicaid/Medicare numbers, dates of treatment, prescription information, diagnosis and symptoms information.
Cardiothoracic and Vascular Surgeons said they are reviewing their policies, procedures, and processes related to the storage and access of sensitive information to reduce the likelihood of a similar future incident. Since the number of individuals affected has yet to be established, the breach has been reported to the HHS’ Office for Civil Rights with an interim figure of 500 individuals and will be updated when the file review is completed.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
PHI Compromised in Phishing Attack on ZOLL Medical Corporation
ZOLL Medical Corporation has recently announced that it was the victim of a sophisticated phishing attack. An employee responded to a phishing email and disclosed credentials that allowed the email account to be accessed. According to the breach notice provided to the Maine Attorney General, the attack occurred on August 2, 2023, and it was detected on November 1, 2023.
The review of the account confirmed it contained names, addresses, and Social Security numbers. The breach was reported to the Maine Attorney General as affecting 15,276 individuals in total. The HHS’ Office for Civil Rights breach portal indicates the PHI of 8,898 individuals was compromised. ZOLL Medical has offered the affected individuals 36 months of credit monitoring and identity theft protection services.
Email Account Breach Reported by Erie Family Health Centers
Erie Family Health Centers has recently confirmed that the protected health information of 6,351 patients was potentially accessed or obtained by an unknown threat actor who gained access to the email account of one of its employees on October 1, 2023. The email account breach was detected on October 19, 2023, and the account was immediately secured. Erie Family Health Centers engaged a cybersecurity company to determine whether patient data had been viewed. No evidence of unauthorized access to patient data was found, nor evidence of any uploads of patient data to the dark web. The information in the account included names, dates of birth, medical record numbers, dates of service, laboratory test tracking numbers, and insurance identification numbers. Affected patients have been offered complimentary credit monitoring services.
Health Diagnostic Management Announces Patient Portal Breach
Health Diagnostic Management (HDM), a New York-based provider of non-medical management services for diagnostic imaging centers, experienced a breach of its patient portal on October 12, 2023. The vendor that operates the HDM patient portal identified suspicious activity on October 13, 2023. Its investigation revealed that valid credentials for a referring physician from Brooklyn Premiere Orthopedics were used to access the patient portal. Brooklyn Premiere Orthopedics announced it had suffered a data breach the week before the unauthorized activity was detected, leading HDM to conclude that the credentials were stolen in that breach.
The review of the affected accounts concluded on November 21, 2023, and affected individuals were notified on October 16, 2023. Affected individuals have been offered complimentary credit monitoring services. HDM is in the process of implementing additional security safeguards, and has engaged a third-party vendor to conduct penetration tests on the patient portal after the security updates are implemented. The breach was reported to the HHS’ Office for Civil Rights as affecting 1,863 individuals.
BlueCross BlueShield of Tennessee Affected by MOVEit Hack
BlueCross BlueShield of Tennessee (BCBST) has announced that the protected health information of 1,665 of its members was stolen by the Clop hacking group, which exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer tool. MOVEit Transfer was used by the BCBST business associate NASCO for file transfers. The vulnerability was exploited on May 30, 2023, and NASCO learned it had been affected on July 12, 2023, and notified BCBST about the breach on October 20, 2023. The information compromised in the incident was limited to health insurance numbers, group numbers and names, claim information, medical ID numbers, dates of service, procedure codes, and provider names. NASCO is notifying the affected BCBST members and is offering 24 months of identity monitoring services.
Rush System for Health Notifies Patients About Emil Error
An email error at Rush University System for Health resulted in research surveys being misdirected on October 25, 2023, resulting in the name of a patient being visible to another recipient of the survey. No other information was exposed. The error occurred due to an error in a spreadsheet that became misaligned during data sorting and resulted in the impermissible disclosure of the names of 4,961 patients.
