Email Breach Reported by The Facial Pain Center
The Facial Pain Center in Minnesota has revealed several employee email accounts were accessed by an unauthorized individual in January 2024, exposing the protected health information of 1,894 individuals. Suspicious activity was identified in certain employee email accounts on January 23, 2024. Immediate action was taken to prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the incident.
A third-party cybersecurity company assisted with the investigation and confirmed that the threat actor had access to emails and related file shares, although the extent to which patient data was accessed and/or copied is not known. Due to the amount of data and number of email accounts involved it has taken several months to complete the review. That process was completed on June 10, 2024.
The types of data involved varied from individual to individual and may have included names along with one or more of the following: date of birth, demographic information, medical information, and/or health insurance information. The Facial Pain Center said it had implemented safeguards to protect information in its email accounts prior to this incident, including multifactor authentication prompts to access data within its environment. Those measures are now being enhanced to prevent similar breaches in the future. Individual notification letters have now been mailed to the affected individuals who have been advised to be vigilant against misuse of their information. Credit monitoring/identity theft protection services do not appear to have been offered.
“Our investigation determined that an unauthorized actor potentially viewed or accessed certain information stored within a limited number of employee email accounts and/or related shared files. We are confident that the incident has been contained and remediated,” The Facial Pain Center told The HIPAA Journal. “Data security is of the utmost importance to us. We are committed to supporting our patients and partners through this process and have started notifying any individuals whose personal information may have been involved.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Mt. Carmel Care Center Notifies Residents About August 2023 Cyberattack
The Lenox, MA, nursing home, Mt. Carmel Care Center, has notified the Maine Attorney General about a data breach that has affected 2,375 individuals. Suspicious activity was identified in its computer systems on October 15, 2023, and the subsequent forensic investigation confirmed that an unauthorized third party first accessed its network more than a year ago on August 17, 2023. The unauthorized access continued until October 15, 2023, during which time files containing sensitive information were copied from its computer systems.
It took until June 6, 2024, to complete the file review and determine the types of information involved, the individuals affected, and to validate the data; however, Mt. Carmel Care Center did upload a substitute breach notice to its website on December 14, 2023, to warn patients about the incident. Individual notification letters were mailed on August 26, 2024.
The notification letters confirm that the types of data compromised included names and financial account information only. The nursing home said it is reviewing its cybersecurity policies and procedures and assessing new cybersecurity tools to reduce the risk of further cyberattacks and data breaches.
