East River Medical Imaging Cyberattack Affects 606,000 Patients
East River Medical Imaging in New York has started notifying 605,809 patients that some of their protected health information has been exposed or stolen in a cyberattack that was detected on September 20, 2023. The network was immediately taken offline, and a forensic investigation was launched to determine the nature and scope of the incident. The investigation determined there had been unauthorized access to its network between August 31, 2023, and September 20, 2023, and during that time, files containing patient data had been accessed and copied from its network.
The compromised information varied from individual to individual and may have included names, contact information, insurance information, exam and/or procedure information, referring physician names, imaging results, and/or Social Security numbers. Employee data was also compromised, including names, contact information, financial account information, Social Security numbers, and/or driver’s license numbers.
East River Medical Imaging said it has enhanced its network monitoring capabilities and will continue to assess and supplement its security controls. Notification letters started to be mailed to the affected individuals on November 22, 2023. Individuals whose Social Security numbers and/or driver’s license numbers were compromised have been offered complimentary credit monitoring services.
The Fred Hutchinson Cancer Center Suffers Thanksgiving Cyberattack
The Fred Hutchinson Cancer Center in Seattle, WA, has confirmed that it detected unauthorized network activity on its clinical network on November 19, 2023. An investigation into the unauthorized activity is ongoing and, at the time of the announcement, it was unclear if any patient data had been compromised. The network was taken offline within 72 hours of the security incident being identified and the clinical network is currently still offline. The MyChart online patient portal and its research network were unaffected. Care continued to be provided to patients and staff are working round the clock to resolve the issue and bring systems back online. No time frame could be provided on how long that process will take. The Fred Hutchinson Cancer Center issued notifications via the MyChart portal on December 1/2 and then emailed current and former patients on December 6/7, 2023, warning them to be vigilant and to monitor their accounts and credit reports for suspicious activity.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
On December 20, 2023, the Fred Hutchinson Cancer Center confirmed that the third party had access to its network between November 19 and November 25, 2023, and during that time, copied files containing patient information. The files that were removed from its system contained the following types of PHI: name, address, phone number, email address, date of birth, Social Security number, health insurance information, medical record number, patient account number, date(s) of service and/or certain clinical information such as treatment/diagnosis information, lab results, or provider name. The Fred Hutchinson Cancer Center said its electronic medical record system was not accessed. On December 20, 2023, notification letters started to be mailed to the affected individuals. Individuals whose Social Security number was compromised have been offered complimentary credit monitoring and identity theft protection services.
Some patients have reported receiving threatening emails from the individuals behind the attack. The emails claim the data of 800,000 patients was stolen in the attack and they have threatened to release the stolen data on the dark web if patients do not pay to have their data deleted. The letters ask for payment of $50 to have their information deleted, and state that the reason for the individual ransom demands is the Fred Hutchinson Cancer Center refused to pay the ransom. The Hunters International hacking group has claimed responsibility for the attack and claimed to have stolen 533 GB of data. The Fred Hutchinson Cancer Center has not yet confirmed how many individuals were affected.
Several class action lawsuits have already been filed in response to the data breach that make similar claims – That the Fred Hutchinson Cancer Center failed to implement reasonable and appropriate cybersecurity measures to protect against unauthorized access to PHI.
The Fred Hutchinson Cancer Center was one of several healthcare providers to be attacked at Thanksgiving. Several hospitals operated by Ardent Health Services were affected by a ransomware attack and were forced to cancel appointments and divert ambulances.
1st Source Bank Confirms MOVEit Transfer Hack
1st Source Bank has confirmed that the protected health information of 1,477 individuals was stolen in May 2023 when hackers exploited a zero day vulnerability in Progress Software’s MOVEit Transfer solution. The breach was discovered on June 1, 2023, and the review of the affected files and the collection of information required to issue notifications was completed on or around October 27, 2023. The compromised information includes names and Social Security numbers. Complimentary identity monitoring services have been provided to the affected individuals for 12 months.
