Healthback Holdings Email Security Breach Affects 21,000 Individuals

The Oklahoma City home health provider, Healthback Holdings, has started notifying 21,114 individuals that some of their protected health information has potentially been viewed or obtained by unauthorized individuals. Unusual activity was detected within its email environment on June 1, 2022. A third-party cybersecurity firm was engaged to assist with the investigation and confirmed that a limited number of employee email accounts had been accessed by an unauthorized third party between October 5, 2021, and May 15, 2022, as a result of responses to phishing emails.

It was not possible to tell which emails, if any, had been viewed, nor if any information in the accounts had been stolen. Notification letters were therefore sent to all individuals whose protected health information was present in the affected email accounts. The exposed information varied from individual to individual and may have included names, health insurance information, Social Security numbers, and clinical information.

Complimentary credit monitoring and identity theft protection services are being provided to eligible individuals. Healthback Holdings has strengthened its email security and further training has been provided to employees on how to detect and avoid phishing emails.

Hacking Incident Reported by the City of Newport in Rhode Island

The City of Newport, RI, has recently reported a breach of the protected health information of 6,109 individuals to the HHS’ Office for Civil Rights. Unusual network activity was detected within its network on June 9, 2022, and certain systems on the network became unavailable. The forensic investigation confirmed hackers had gained access to its network on June 8, 2022, and removed files containing sensitive information from its systems.

Please see the HIPAA Journal Privacy Policy

A review of the affected files was completed on June 12, 2022, and confirmed that they contained the information of current and former employees and their spouses and/or dependents, including names, addresses, dates of birth, Social Security numbers, financial account numbers used for direct deposit, and information related to group health insurance.

Notification letters were sent to affected individuals on July 22, 2022. Complimentary memberships to identity monitoring services have been offered to affected individuals and steps have been taken to improve the security of the network.

Minuteman Senior Services Email Account Accessed by Unauthorized Individual

Bedford, MA-based Minuteman Senior Services has discovered that an unauthorized individual gained access to an employee’s email account and potentially viewed or obtained sensitive information in the account. The unauthorized access was detected on June 1, 2022, with the forensic investigation confirming the account had been accessed for less than 24 hours.

In a July 29, 2022, substitute breach notification, Minuteman explained that the account contained information such as full names, addresses, birth dates, gender, health insurance information, diagnosis, and service utilization information. No evidence of data theft or misuse has been identified at the time of issuing notifications.

The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 4,000 individuals.

OrthoArizona Notifies Patients About October 2021 Cyberattack

OrthoArizona has recently started notifying 2,748 individuals that their protected health information was exposed and potentially stolen in a cyberattack that was detected on October 30, 2021. OrthoArizona said it quickly engaged the services of a third-party cybersecurity company to assist with the investigation but said the investigation and remediation process was “extensive and labor intensive,” which is why it has taken so long to issue notifications.

The review of the affected files confirmed they contained names, mailing addresses, dates of birth, Social Security numbers, and certain health insurance information. No cases of fraud have been identified as a result of the incident. Individuals who had their Social Security number exposed have been offered complimentary credit monitoring and identity theft protection services through IDX. OrthoArizona said it has reviewed and enhanced its data security policies and procedures.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.