Dignity Health Lassen Medical Clinic Cyberattack Affects 65,482 Patients
Cyberattacks have been reported by Dignity Health Lassen Medical Clinic in California, The Baker Center for Children and Families in Massachusetts, and Golden Age Home Health in Oklahoma. Sidney Health Center in Montana and The Center for Child Development in Delaware have identified HIPAA breaches by employees.
Dignity Health Lassen Medical Clinic
Dignity Health Lassen Medical Clinic has notified 65,482 patients of its clinics in Red Bluff and Cottonwood in California that some of their protected health information has been exposed or stolen in a September 2024 cyberattack. The attack was detected on September 20, 2024, when its IT network was disabled. Prompt action was taken to prevent further unauthorized access, and the network was restored the following day. An investigation by a third-party cybersecurity vendor determined that between September 17 and September 20, 2024, files were copied from the network that contained patient data.
The electronic medical record system was not involved, but the stolen files included patient data such as names, addresses, dates of birth, driver’s license numbers, financial account information, medical information, and health insurance information. A limited number of Social Security numbers were also present in the stolen files. Additional security and monitoring tools have been implemented to improve data security and rapidly detect any future intrusions, and the affected individuals have been offered complimentary credit monitoring services.
The Baker Center for Children and Families
Judge Baker Children’s Center, doing business The Baker Center for Children and Families in Boston, Massachusetts, experienced a security breach in July 2024 involving unauthorized access to its digital storage environment. The mental health clinic detected the security breach on July 28, 2024, and the investigation determined that an unknown unauthorized actor had access to certain systems for two days between July 26 and July 28, 2024. During that time, files may have been downloaded that contained patient information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The review of the affected systems concluded on October 28, 2024, and confirmed that the exposed data included names, addresses, dates of birth, Social Security numbers, driver’s license or other government identification numbers, financial account information, health insurance information, medical treatment or diagnosis information, and/or clinical information. Notification letters were mailed to the 2,715 affected individuals on December 27, 2024. The Baker Center has confirmed that steps are being taken to improve its security posture to prevent similar incidents in the future.
Golden Age Home Health
Golden Age Home Health, an Oklahoma City-based provider of home healthcare services, has suffered a cyberattack that involved unauthorized access to the protected health information of 2,280 patients. The November 22, 2024, notice on its website does not state when the breach was detected nor the types of information involved but does confirm that the affected individuals are being offered complimentary credit monitoring and fraud prevention services.
A helpline – 833-918-9899 – has been established for individuals to obtain further information about the incident. The helpline is manned Monday to Friday from 8 a.m. to 8 p.m. “We deeply regret any concern this situation may cause our patients and are dedicated to supporting patients every step of the way as we work to resolve this incident,” said Lydia Sowah, Administrator of Golden Age Home Health. “Protecting patient privacy and trust is our top priority, and we are taking all necessary steps to enhance our cybersecurity protocols.”
Sidney Health Center
Sidney Health Center in Montana has notified 1,370 patients about an insider data breach involving one of its physicians. In October 2024, an employee reported a potential privacy issue after observing a physician saving patient data to their personal Google account. An investigation was launched and its privacy monitoring tools confirmed that a personal Google account had been used in connection with patient data. The physician was interviewed and instructed to destroy or return all documents in the personal account that contained patient information. Sidney Health Center said, “Unfortunately, our efforts were not met with the necessary cooperation.”
Sidney Health Center reviewed the documents that had been inappropriately saved and confirmed that they contained patient information such as names, dates of birth, medical record numbers, medical histories, and treatment information including dates of service, provider names, diagnoses, and medications. Sidney Health Center confirmed that the documents did not contain Social Security numbers, health insurance ID numbers, or financial information. While the privacy incident was investigated, the physician had access to patient information suspended unless accompanied by a supervisor. The physician no longer works for Sidney Health Center and his conduct has been reported to the appropriate authorities. Individual notifications were mailed to the affected patients in early January 2025.
Center for Child Development
The Center for Child Development in Newark, DE, has discovered an impermissible disclosure of patient data to one of its clients. On October 24, 2024, a care coordinator sent an email to one client that included a list containing the names, dates of birth, insurance information, and account balances of 540 other clients. The error was rapidly identified and the security office contacted the recipient of the email and told them to delete the list. The care coordinator has received enhanced HIPAA training, and additional safeguards have been implemented to prevent similar incidents in the future. Notification letters have been mailed to the affected individuals and a press release was issued to the local newspaper to ensure full transparency with the public.
