HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI of 1.27 Million Patients Compromised in Two Healthcare Data Breaches

The protected health information of 1,271,642 individuals has been exposed and potentially stolen in two healthcare hacking incidents that were recently been reported to the Department of Health and Human Services’ Office for Civil Rights.

PHI of 688,000 Individuals Compromised in Sea Mar Community Health Centers Hack

Sea Mar Community Health Centers is a nonprofit community-based provider of health, human, housing, educational, and cultural services to underserved communities in Washington state.

On June 24, 2021, Sea Mar learned sensitive data had been exfiltrated from its IT systems by an unauthorized individual. Assisted by a leading third-party cybersecurity firm, Sea Mar determined its systems had been accessed between December 2020 and March 2021. According to the breach notice posted on its website, a review was conducted of the information potentially stolen from its network, which confirmed the following data types had been stolen:

Name, address, Social Security number, date of birth, client identification number, diagnostic and treatment information, insurance information, claims information, and/or images associated with dental treatment.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Sea Mar said the process of collecting the contact information required to issue notification letters to affected individuals was completed on August 30, 2021. Two months after obtaining the contact information, notification letters were sent to affected individuals. The notification sent to the Maine Attorney General indicates breach notification letters were sent between October 29, 2021, and November 5, 2021.

Sea Mar said it is not aware of any evidence of the misuse of information stolen in the incident, but has offered credit monitoring, identity theft protection, and fraud consultation services to individuals whose Social Security number was involved.

No mention is made in the breach notification letters about the stolen data being listed for sale on Marketo. Marketo is a darknet marketplace where stolen data are offered for sale. Marketo is not a ransomware-affiliated marketplace, although data stolen in ransomware attacks have previously been listed for sale on the site, including the data stolen in the Navistar ransomware attack.

The post on Marketo claims 3TB of data were exfiltrated in the attack, including emails, photographs, contact information, and photographs of agreements. The date of notification provided by Sea Mar corresponds with the date DataBreaches.net notified Sea Mar of the listing on Marketo.

Utah Imaging Associates Reports 583,643-Record Data Breach

Utah Imaging Associates has started notifying 583,643 patients about a cyberattack that was detected and stopped on September 4, 2021. Utah Imaging Associates said it engaged a specialized third-party cybersecurity firm to conduct a forensic investigation into the attack to determine the nature and scope of the breach. While details of the nature of the attack were not provided in the notification letters, Utah Imaging Associates said the investigation confirmed that the attackers had access to files that contained sensitive information that was maintained for patient care and administrative purposes.

Those files included the following types of information: first and last names, mailing addresses, dates of birth, Social Security numbers, health insurance policy numbers, and medical information such as treatment, diagnosis, and prescription information. The types of information in the files varied from patient to patient.

Utah Imaging Associates said it is enhancing security measures for its systems and servers and has installed new endpoint monitoring tools that will constantly monitor for intrusions. At the time of issuing notification letters, no reports had been received about any actual or attempted misuse of patient data; however, as a precaution, affected individuals have been offered complimentary credit monitoring services.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.