HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

JDC Healthcare Management Data Breach Affects More than 1 Million Texans

On March 17, 2022, Dallas, TX-based JDC Healthcare Management, which runs more than 70 Jefferson Dental & Orthodontics practices throughout the state of Texas, reported a security breach to the Office of the Attorney General of Texas that has affected more than 1 million Texans.

As previously reported on this site, JDC Healthcare Management detected malware within its IT network on or around August 9, 2021, with the forensic investigation into the security breach confirming the malware was downloaded onto its systems on July 27, 2021.

Further information on the data breach has now been obtained. JDC Healthcare Management explained that the malware gave unauthorized individuals access to its IT systems from July 27, 2021, to August 16, 2021, and its forensic investigation confirmed the attackers viewed or copied files on its systems that contained patients’ electronic protected health information (ePHI).

JDC Healthcare Management explained in its March 2022 breach notification letters that the comprehensive review of the impacted files is ongoing, but it has been confirmed that the types of exposed and compromised ePHI included names, dates of birth, Social Security numbers, driver’s license numbers, financial information, health insurance information, and medical information.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

In its breach notification letters, JDC Healthcare Management said, “Upon learning of this incident, we moved quickly to investigate and respond to this incident, assess the security of our systems, restore functionality to our environment, and notify potentially affected individuals.”

JDC Healthcare Management said it is reviewing and enhancing its existing policies and procedures to reduce the likelihood of further security breaches. Affected individuals have been advised to check their accounts, explanation of benefits statements, and free annual credit reports, although there is no mention in the breach notification letters about credit monitoring and identity theft protection services being offered.  JDC Healthcare Management said that at the time of issuing notification letters, it was unaware of any actual or attempted misuse of patient data.

Notification letters are now being sent and the incident will be reported to the HHS’ Office for Civil Rights. The breach report submitted to the Texas Attorney General indicates the ePHI of 1,026,820 Texans was potentially compromised.

Wheeling Health Right Inc. Suffers Ransomware Attack

Wheeling Health Right Inc. in West Virginia has announced it was the victim of a ransomware attack in January 2022. The security breach was detected on January 18, 2022, when access to files on its IT systems was prevented. Wheeling Health Right said it engaged legal counsel and a data breach remediation firm to investigate the attack and determine the extent to which its systems had been compromised.

A review of all files on the affected parts of its systems confirmed they contained sensitive patient and employee information such as full names, addresses, email addresses, phone numbers, driver’s license numbers, medical record numbers, Social Security numbers, tax information, income information, and health information of patients who applied for or received services from Wheeling Health Right.

Wheeling Health Right said its information technology service provider decrypted, recovered, and rebuilt its systems, initiated a password reset for all system end-users, implemented multi-factor authentication for employee email accounts, and installed additional endpoint detection and response software. Further privacy and security measures have also been implemented, including providing additional cybersecurity training to the workforce.

Wheeling Health Right said affected individuals were notified on March 18, 2022, and have been offered identity monitoring to affected individuals at no cost for 12 months. The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.