HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Hacking Incidents Reported by Southern Orthopaedic Associates and Eduro Healthcare

Paducah, KY-based Southern Orthopaedic Associates (SOA), doing business as the Orthopaedic Institute of Western Kentucky, has started notifying 106,910 patients about a breach of some of their protected health information.

SOA detected unauthorized activity in an employee email account on or around July 7, 2021. Steps were immediately taken to secure the account and an investigation was launched to determine the nature and scope of the breach. Assisted by a third-party computer forensics company, SOA determined that several employee email accounts had been compromised between June 24, 2021, and July 8, 2021; however, it was not possible to tell which, if any, emails in the account had been accessed.

A comprehensive review was conducted of all emails and attachments in the compromised accounts to determine if they contained any protected health information. The review was completed on October 21, 2021, and confirmed the accounts contained patient names and Social Security numbers.

Notification letters were sent to affected individuals starting on December 12, 2021. SOA has offered a complimentary 1-year membership to credit monitoring services through Experian, has implemented additional safeguards to improve email security, and has provided further security awareness training to the workforce.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Eduro Healthcare Data Breach Affects More Than 8,000 Patients

Salt Lake City, UT-based Eduro Healthcare has notified 8,059 patients about a potential breach of their protected health information. In March 2021, suspicious activity was detected in its network and action was immediately taken to contain the breach.  The healthcare provider implemented its incident response plan which allowed it to quickly restore access to its network.

Euro Healthcare said the prompt action taken in response to the breach was believed to have prevented unauthorized individuals from accessing and exfiltrating patient information; however, on August 24, 2021, Eduro Healthcare discovered some patient data had been exfiltrated and posted on a dark web data leak site.

Then commenced a painstaking process of identifying the individuals affected and the types of data that had been compromised. That process was completed on October 21, 2021. The data compromised included first and last names, dates of birth, provider name, date(s) of service, treatment information, Social Security numbers, and health insurance information.

Affected individuals have been offered 12 months of complimentary credit monitoring and identity restoration services through IDX and will be protected by a $1,000,000 identity theft insurance policy. Eduro Healthcare has implemented additional security controls, conducted a complete audit of all accounts, strengthened password protocols, reconfigured its firewall, implemented multi-factor authentication on email accounts, and updated its network security protocols and procedures.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.