Meridian Behavioral Healthcare Discloses 99,000-Record Data Breach
Data breaches have recently been reported by Meridian Behavioral Healthcare, Network 180, Erie VA Medical Center, and Fred Hutchinson Cancer Center.
Meridian Behavioral Healthcare
Meridian Behavioral Healthcare, Inc. in Florida has recently confirmed that protected health information was exposed in a security breach that was detected on August 11, 2023. Third-party cybersecurity specialists were engaged to investigate the breach and on December 4, 2023, confirmed that 98,808 individuals had been affected. Written notifications were mailed on December 22, 2023. The information exposed in the breach varied from individual to individual and may have included names, addresses, Social Security numbers, dates of birth, medical diagnosis and treatment information, health insurance information, and prescription information.
Meridian Behavioral Healthcare said it is not aware of any misuse of patient data but has offered the affected individual complimentary credit monitoring services. Additional security measures have been implemented within its network, and data security policies and procedures are being reviewed and will be updated to better protect patient data.
Network 180
The Kent County Community Mental Health Authority, which does business as Network 180, has notified 59,334 individuals about unauthorized access to their protected health information. A security breach was detected on October 18, 2023, and the attack was contained by the IT department the same day. Third-party cybersecurity experts were engaged to investigate the breach and confirmed on October 25, 2023, that the unauthorized activity stemmed from a phishing attack.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
An employee clicked a malicious link in an email that directed them to a website where they were prompted to enter their credentials, which were captured by the attacker and used to access the employee’s email account. Network 180 said multi-factor authentication was enabled on the employee’s account; however, the MFA controls were bypassed in the attack. The threat actor was able to access the employee’s email account between September 28, 2023, and October 18, 2023, and during that time exported data from the account, including names, addresses, dates of birth, full or partial Social Security Numbers, health insurance policy information, medical information, other demographic information (i.e., race or gender), and in a limited number of cases, financial account or payment card numbers and/or driver’s license numbers.
Network 180 said it has taken several steps to improve the security of its Office 365 email accounts and has hired cybersecurity staff to proactively monitor its systems. The affected individuals have been notified and offered complimentary credit monitoring services for 12 months. Network 180 deserves credit for being transparent about the data breach and providing detailed information in its breach notice to the affected individuals.
Erie VA Medical Center
Erie VA Medical Center has apologized for an impermissible disclosure of patient data in mid-November. A printing error was made when sending appointment scheduling and appointment reminders to patients, which resulted in the reminders being sent to incorrect patients. The postcards only included information concerning the appointment and did not include sensitive or other identifying information. 2,380 veterans in Delaware, Kentucky, Maryland, New Jersey, New York, Ohio, Pennsylvania, Virginia, & West Virginia were affected. The postcards were sent to the correct recipients on November 16, 2023.
Fred Hutchinson Cancer Center
Fred Hutchinson Cancer Center has notified 544 patients that some of their sensitive data has potentially been exposed. Fred Hutch was notified on October 27, 2023, by a provider that their laptop computer had been lost while traveling. The laptop was used to access a Microsoft Outlook application through which patient information could be accessed. The provider said the laptop was password protected and has now been configured to initiate a remote wipe of the hard drive if it comes online. Fred Hutch conducted a review to find out what types of data were accessible through the laptop and determined that names, addresses, phone numbers, dates of birth, medical record numbers, patient account numbers, dates of service, and certain clinical information had been exposed, and for a limited number of patients, also Social Security numbers.
Notification letters were sent on December 26, 2023, and complimentary credit monitoring services have been made available to individuals who had their Social Security numbers exposed. Fred Hutch has provided additional education to the workforce on safeguarding mobile devices. This is the second data breach to be reported by Fred Hutchinson Cancer Center in the past few weeks. A much more serious breach occurred between November 19 and November 25, 2023, when a cybercriminal group breached its network and stole patient data. Fred Hutch has not yet confirmed how many patients have been affected but the hackers claimed to have infiltrated the data of around 800,000 patients. When the ransom was not paid, the threat actors started threatening patients directly.
