Oak Valley Hospital District Cyberattack Impacts 284K Patients
Oak Valley Hospital District in Oakdale, CA, has recently notified 283,629 patients about a cybersecurity incident that exposed their sensitive information. Suspicious activity was detected within its IT systems on July 18, 2023, and the subsequent forensic investigation confirmed that an unauthorized third party had access to its systems from April 21, 2023, to July 18, 2023. During that time, files used for billing and treatment purposes may have been viewed or stolen.
The files contained protected health information such as names, health insurance information, Social Security numbers, and information related to the care provided. Individuals who had their Social Security numbers exposed have been offered complimentary credit monitoring and identity theft protection services. Oak Valley Hospital District said it has strengthened system security and will continue to assess and enhance its security protocols to prevent further data breaches.
Mountrail County Medical Center Affected by Cyberattack on DMS Health Technologies
Mountrail County Medical Center in Stanley, ND, has been affected by a cybersecurity incident at its imaging vendor, DMS Health Technologies. DMS identified suspicious activity within its computer network on April 23, 2023. The forensic investigation confirmed that unauthorized individuals had access to its network for a month between March 27 and April 24, 2023. During that time, files containing protected health information may have been viewed or obtained. The information in the files varied from individual to individual and may have included names, dates of birth, dates of service, physician names, and exam types. DMS said additional administrative and technical safeguards are being implemented to better secure its systems.
Jordan Valley Community Health Center Suffers Cyberattack
Jordan Valley Community Health Center in Springfield, MO, identified suspicious activity in its computer systems on August 9, 2023. A forensic investigation was launched to determine the nature and scope of the incident, which revealed unauthorized individuals had access to its systems between March 9, 2023, and June 22, 2023. During that time, files containing patient information may have been viewed or copied. The affected files contained the following data types: name, address, email address, birth date, and race.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Jordan Valley Community Health Center said all the printed and digital material that was taken has been retrieved and destroyed, and affidavits have been obtained confirming no copies of the stolen data had been made. A spokesperson for the health center said, “Consistent with our core values and ongoing efforts to improve the quality of patient care and convenience, we have further limited access to information without a business need, so this does not happen again.” Affected individuals were notified on September 15. The HHS’ Office for Civil Rights has been informed, but the incident is not yet showing on the OCR breach portal, so it is currently unclear how many individuals have been affected.
Recently Confirmed Victims of MOVEit Transfer Hacks
WVU Medicine (Nuance Communications)
WVU Medicine, a West Virginia provider of advanced heart, vascular, thoracic, cancer, pediatric, and neurological care, has recently confirmed that it was one of the Nuance Communications clients affected by the exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer solution between May 28 and May 29, 2023. Nuance Communications was notified about the vulnerability by Progress Software and launched an investigation to determine if the flaw had been exploited, and determined on July 11, 2023, that the data of WVU Medicine patients had been exfiltrated. WVU Medicine was notified about the breach on August 1, 2023, and Nuance issued notification letters to the affected individuals on September 19, 2023. The breached information included patient names, practitioner names, healthcare facility names, and dates and descriptions of services provided.
Erlanger Health (Nuance Communications)
Erlanger Health, Inc. in Tennessee was also affected by the MOVEit hack at Nuance Communications. The stolen files included the PHI of 2,753 patients who had recently received imaging or radiology services. The compromised information was limited to names, dates of service, services received, and internal medical record numbers. Nuance Communications notified Erlanger Health about the breach on August 2, 2023, and notification letters were mailed to the affected patients in mid-September.
Arkansas Total Care (Ricoh USA)
Arkansas Total Care member data was stolen from Ricoh USA, Inc. after the MOVEit Transfer vulnerability was exploited. Ricoh informed Arkansas Total Care about the data breach on July 26, 2023. The compromised information included names, Social Security numbers, dates of birth, and some medical information. The breach was recently reported to the HHS’ Office for Civil Rights as affecting 578 individuals.
