PHI of 1.27 Million Patients Compromised in Two Healthcare Data Breaches

Share this article on:

The protected health information of 1,271,642 individuals has been exposed and potentially stolen in two healthcare hacking incidents that were recently been reported to the Department of Health and Human Services’ Office for Civil Rights.

PHI of 688,000 Individuals Compromised in Sea Mar Community Health Centers Hack

Sea Mar Community Health Centers is a nonprofit community-based provider of health, human, housing, educational, and cultural services to underserved communities in Washington state.

On June 24, 2021, Sea Mar learned sensitive data had been exfiltrated from its IT systems by an unauthorized individual. Assisted by a leading third-party cybersecurity firm, Sea Mar determined its systems had been accessed between December 2020 and March 2021. According to the breach notice posted on its website, a review was conducted of the information potentially stolen from its network, which confirmed the following data types had been stolen:

Name, address, Social Security number, date of birth, client identification number, diagnostic and treatment information, insurance information, claims information, and/or images associated with dental treatment.

Sea Mar said the process of collecting the contact information required to issue notification letters to affected individuals was completed on August 30, 2021. Two months after obtaining the contact information, notification letters were sent to affected individuals. The notification sent to the Maine Attorney General indicates breach notification letters were sent between October 29, 2021, and November 5, 2021.

Sea Mar said it is not aware of any evidence of the misuse of information stolen in the incident, but has offered credit monitoring, identity theft protection, and fraud consultation services to individuals whose Social Security number was involved.

No mention is made in the breach notification letters about the stolen data being listed for sale on Marketo. Marketo is a darknet marketplace where stolen data are offered for sale. Marketo is not a ransomware-affiliated marketplace, although data stolen in ransomware attacks have previously been listed for sale on the site, including the data stolen in the Navistar ransomware attack.

The post on Marketo claims 3TB of data were exfiltrated in the attack, including emails, photographs, contact information, and photographs of agreements. The date of notification provided by Sea Mar corresponds with the date notified Sea Mar of the listing on Marketo.

Utah Imaging Associates Reports 583,643-Record Data Breach

Utah Imaging Associates has started notifying 583,643 patients about a cyberattack that was detected and stopped on September 4, 2021. Utah Imaging Associates said it engaged a specialized third-party cybersecurity firm to conduct a forensic investigation into the attack to determine the nature and scope of the breach. While details of the nature of the attack were not provided in the notification letters, Utah Imaging Associates said the investigation confirmed that the attackers had access to files that contained sensitive information that was maintained for patient care and administrative purposes.

Those files included the following types of information: first and last names, mailing addresses, dates of birth, Social Security numbers, health insurance policy numbers, and medical information such as treatment, diagnosis, and prescription information. The types of information in the files varied from patient to patient.

Utah Imaging Associates said it is enhancing security measures for its systems and servers and has installed new endpoint monitoring tools that will constantly monitor for intrusions. At the time of issuing notification letters, no reports had been received about any actual or attempted misuse of patient data; however, as a precaution, affected individuals have been offered complimentary credit monitoring services.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On