Hackers Obtained the Data of BU Framingham Heart Study Participants
Boston University has notified all Framingham Heart Study participants that hackers have obtained their personal and medical information. Data breaches have also been announced by Rumpke Consolidated Companies, OrthopedicsNY, and IU Health.
Boston University – Framingham Heart Study Data Breach
Boston University (BU) has recently notified all Framingham Heart Study participants about a September 2024 hacking incident that saw hackers download participants’ personal and medical information. The Framingham Heart Study was founded in 1948 and was devised to determine the causes, characteristics, and common factors that contribute to cardiovascular disease. The Framingham Heart Study is the longest-running multi-generational heart study in the United States and some individuals have been participating for more than 75 years and enrolled their children and grandchildren in the study. All 15,448 participants have been affected by the data breach.
The cyberattack occurred on September 8, 2024, and was interrupted by BU officials, although not in time to prevent sensitive data from being downloaded. The stolen data included names, addresses, telephone numbers, email addresses, dates of birth, sex/race/ethnicity, occupation and self-reported income, signatures, medical information, and, for around 2% of individuals, their Social Security numbers.
Since the breach, BU has been working with the National Institutes of Health, the Department of Health and Human Services, and law enforcement agencies to determine exactly what happened and to make resources available for study participants. BU is implementing additional safeguards to ensure that similar attacks are prevented in the future. All 15,448 participants have been notified about the breach by mail and individuals whose Social Security numbers were stolen have been offered complimentary credit monitoring services.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Rumpke Waste & Recycling Services Reports Breach of Benefit Plan Data
Rumpke Waste & Recycling Services, which operates in Ohio, Indiana, Kentucky, and West Virginia, has notified 16,946 members of the Rumpke Consolidated Companies Inc. & Affiliates Benefits Plan that hackers have stolen some of their personal and protected health information.
On October 11, 2024, Rumpke was alerted to a claim by a hacker that its systems had been breached and sensitive data had been exfiltrated from its systems. Steps were immediately taken to secure its systems and prevent further unauthorized access and the investigation confirmed the data theft. The hacker used a compromised user account on July 20, 2024, to access its systems and exfiltrated the data of benefits plan members and their spouses and dependents from 2015 to July 27, 2024.
The stolen data included names, addresses, phone numbers, dates of birth, and email addresses in combination with some or all of the following: health insurance enrollment and account information, health data such as diagnosis information and codes, health billing and payment data including claim numbers, account numbers, billing codes, payment amounts, and balance information, and/or personal data such as Social Security numbers, driver’s license/state ID numbers, and financial account information. System security has been enhanced and the affected individuals have been offered single-bureau credit monitoring services for 24 months.
OrthopedicsNY Notifies Individuals About December 2023 Hacking Incident
OrthopedicsNY in Latham, NY, has notified 656,086 patients about a hacking incident detected almost a year ago on December 28, 2023. A hacker attempted to infiltrate its network and demanded a ransom payment. Assisted by independent security and forensic investigators, OrthopedicsNY ensured its systems were secured and investigated the hacker’s claims.
The December 13, 2024, data breach notification letters state that the investigation took until December 5, 2024, to complete and confirmed that the data stolen in the incident included names, Social Security numbers, and taxpayer identification numbers. OrthopedicsNY has arranged for 12 months of single-bureau credit monitoring services to be provided to the affected individuals. OrthopedicsNY has implemented additional safeguards and enhanced security measures to prevent similar incidents in the future.
When The HIPAA Journal first reported the data breach in December 2024, only 5,397 individuals were known to have been affected. The total was later increased to 656,086 current and former patients and employees. The New York Attorney General investigated the data breach and imposed a $500,000 financial penalty to resolve alleged violations of state laws.
IU Health Discovers Email Account Breach
Indiana University Health Affiliated Covered Entity (IU Health) has identified unauthorized access to an employee’s email account. The breach was detected on October 18, 2024, and the forensic investigation revealed an unauthorized individual had access to the email account from October 4 until October 18, 2024, and may have obtained information stored in the account.
The types of data exposed and potentially stolen varied from individual to individual and may have included names in combination with one or more of the following: address, age, medical record number, diagnosis, or other limited treatment information. Notification letters were mailed to the affected individuals on December 17, 2024. The incident has been reported to the HHS’ Office for Civil Rights, but it is not yet shown on the breach portal, so it is unclear how many individuals were affected.
