HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Lexington Medical Center and CalViva Health Affected by Third-Party Data Breaches

Wake Forest Baptist Health has announced an unauthorized individual gained access to the systems of one of its technology vendors between October 16 and October 28, 2020 and potentially viewed or acquired files containing the protected health information of certain patients of Lexington Medical Center in North Carolina.

The breach occurred at Healthgrades Operating Co. Inc., which provided the hospital with patient and community education on health matters and medical services. The exact nature of the breach was not disclosed.

No reports have been received to date to indicate any information was stolen and misused. The types of PHI potentially accessed includes names, addresses, dates of birth, contact information, demographic information, medical treatment information, and Social Security numbers. The files contained PHI dated from mid-2010 to mid-2011.

All individuals whose PHI was potentially compromised in the attack were notified by mail on March 26, 2021 and have been offered complimentary credit monitoring and identity theft protection services.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

It is currently unclear how many Lexington Medical Center patients have been affected. Healthgrades Operating Co. reported the breach to the HHS’ Office for Civil Rights as affecting 35,485 individuals in total.

CalViva Health Members Affected by Accellion Ransomware Attack

The protected health information of certain members of Fresno, CA-based CalViva Health has been compromised in a cyberattack at a third-party vendor. The individuals behind the attack may have accessed or downloaded sensitive files, although there are no indications at this stage that any sensitive information has been misused.

The vendor was Health Net Community Solutions, and its file transfer solution was provided by Accellion, which suffered a ransomware attack in which customers’ files were stolen. The attackers had access to data in the solution from January 7 to January 25, 2021.

As is common in manual ransomware attacks, the attackers released a sample of the stolen data on its leak site to encourage payment of the ransom. It is unclear if any of that information relates to CalViva Health members.

Health Net has since removed all files relating to CalViva members from the Accellion file transfer system and has now stopped using Accellion’s file transfer services.

CalViva Health has advised all affected members to monitor their statements and explanation of benefits statements for signs of fraudulent activity. As a precaution against identity theft and fraud, all affected individuals have been offered a membership to credit monitoring and identity theft services for one year at no cost.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.