HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Hacking Incidents Reported by Retinal Consultants Medical Group, Three Rivers Regional Commission, & ACE Surgical Supply

Retinal Consultants Medical Group, ACE Surgical Supply, and Three Rivers Regional Commission have recently reported cyberattacks in which the protected health information of patients may have been obtained by unauthorized individuals.

Retinal Consultants Medical Group Hacking Incident Affects 11,603 Patients

Vitreo-Retinal Medical Group Inc., dba Retinal Consultants Medical Group, says it was the victim of a sophisticated cyberattack that was detected on or around July 12, 2021 and caused a service disruption.

Vitreo-Retinal Medical Group engaged third-party cybersecurity consultants to help restore its systems and investigate the nature and scope of the attack. While the investigation confirmed unauthorized individuals had gained access to its computer network, it was not possible to tell if any protected health information was accessed or exfiltrated, although no reports have been received that suggest actual or attempted misuse of patient data.

A comprehensive manual and programmatic review of the affected systems confirmed the following types of protected health information had potentially been compromised: name, address, date of birth, medical condition or treatment information, medical record number, diagnosis code, patient account number, Medicare/Medicaid information, treating physician name, health insurance information, and username/password. A limited number of Social Security numbers were also stored on the affected systems.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Vitreo-Retinal Medical Group says third-party cybersecurity experts have been assisting with a review of its security systems and additional measures will be implemented, as appropriate, to improve data security.

Affected individuals started to be notified on November 9, 2021, and complimentary credit monitoring services have been made available where required.

12,122 Individuals Affected by Cyberattack on ACE Surgical Supply

Brockton, MA-based ACE Surgical Supply has discovered its IT environment was accessed by an unauthorized individual who may have viewed or obtained the protected health information of 12,122 individuals.

Its systems were accessed on June 29, 2021, and the breach was detected the same day. The investigation confirmed the affected systems contained personal information along with financial account numbers, debit/credit card information, and information that could potentially allow accounts to be accessed.

ACE Surgical Supply said affected individuals have been offered credit monitoring and identity theft protection services for 24 months at no cost.

Three Rivers Regional Commission Ransomware Attack Impacts 2,000 Patients

The Griffin, GA-based regional planning organization, Three Rivers Regional Commission, has discovered the protected health information of around 2,000 individuals may have been obtained by unauthorized individuals in a ransomware attack.

The attack was detected on July 20, 2021, when employees were prevented from accessing its computer systems. Assisted by third-party cybersecurity experts, Three Rivers Regional Commission determined the attacker gained access to its systems between July 18, 2021 and July 20, 2021 and prior to the use of ransomware, exfiltrated files containing sensitive data.

The forensic investigation is ongoing and notification letters will be sent to affected individuals when their identities and contact information have been determined. At this stage, the following types of information are believed to have been obtained in the attack: Name, address, driver’s license number, Social Security number, and medical information, including diagnosis and treatment information, lab test results, medications, and Medicare/Medicaid identification numbers.

Three Rivers Regional Commission said it is implementing additional administrative and technical safeguards to further secure the information in its systems.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.