First Choice Community Healthcare Data Breach Affects 101,000 Patients

First Choice Community Healthcare in Albuquerque, NM, has started notifying certain patients that an unauthorized individual gained access to its network and potentially stole patient data. In a substitute breach notification, First Choice explained that unusual activity was detected within its technological environment on March 27, 2022. A third-party cybersecurity firm was engaged to conduct a forensic investigation and determine the nature and scope of the breach. While it was not possible to confirm if any files had been accessed or exfiltrated, the possibility could not be ruled out.

A comprehensive review of the affected files was completed on June 3, 2022, which confirmed that the following information had potentially been compromised: names, Social Security numbers, First Choice patient ID number, diagnosis, and clinical treatment information, medications, dates of service, health insurance information, medical record number, patient account number, date of birth, and provider information. Affected individuals were notified about the breach by mail on August 1, 2022, and have been offered complimentary identity theft protection services through IDX.

The HHS’ Office for Civil Rights website indicates 101,541 individuals have been affected.

Arlington Skin Notifies 17,468 Patients About Electronic Medical Record Data Breach

Dr. Michelle A. Rivera, MD, doing business as Arlington Skin in Virginia, has started notifying 17,468 patients that their protected health information may have been accessed by unauthorized individuals in a security breach at business associate, Virtual Private Network Solutions (VPN Solutions).

Please see the HIPAA Journal Privacy Policy

VPN Solutions managed the electronic medical records of patients of Arlington Skin via the Allscripts practice management solution and electronic medical records platform. The cyberattack was discovered by VPN Solutions on or around October 31, 2021, and the forensic investigation confirmed that the information potentially compromised in the attack included names, addresses, dates of birth, diagnostic and treatment information, health insurance information, and Social Security numbers.

Notification letters started to be sent to affected individuals on July 8, 2022. No evidence of data theft was found but, as a precaution, fraud assistance and remediation services have been provided to affected individuals through CyberScout.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.