HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI of Over 500,000 Individuals Potentially Compromised in 4 Security Incidents

Over 500,000 individuals have been affected by cyberattacks on Norwood Clinic, PracticeMax, Central Indiana Orthopedics, and an unauthorized electronic medical record incident at Ascension Michigan.

Norwood Clinic

The Birmingham, AL-based multi-specialty clinic, Norwood Clinic, has recently started notifying 228,103 individuals that some of their protected health information was accessed in a cyberattack that was detected on October 22, 2021. Upon detection of the breach, systems were immediately secured and third-party security experts were engaged to investigate the incident and determine the nature and scope of the breach.

The investigation confirmed that an unauthorized individual gained access to a server that housed patient information such as names, contact information, birth dates, Social Security numbers, driver’s license numbers, limited health information, and/or health insurance policy numbers. While unauthorized data access was confirmed, it was not possible to determine the specific information that was accessed, or whether any patient information was acquired in the attack.

Norwood Clinic said a complimentary 12-month membership to credit monitoring, dark web monitoring, and identity theft protection services has been offered to affected individuals and steps have been taken to improve cybersecurity, including revising email settings and policies, updating and modifying network security technical hardware, adding additional password complexity rules, and instituting more secure login mechanisms.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

PracticeMax

The business management and information technology solution provider PracticeMax has recently notified the Maine Attorney General about a data breach that has affected 165,698 individuals. PracticeMax said it started experiencing technical difficulties on May 1, 2021 and launched an investigation into a potential security breach.

The forensic investigation confirmed that unauthorized individuals gained access to its systems on April 17, 2021, and access remained possible until May 5, 2021. The attackers gained access to a server and potentially copied files containing the protected health information of patients and health plan members of its clients, prior to deploying ransomware.

PracticeMax said it issued notification letters on behalf of affected clients on October 19, 2021, even though the review of the server had not yet concluded. The review was concluded on February 2, 2022, and affected customers were updated on February 14, 2022. The types of data stored on the server varied from individual to individual and may have included names and Social Security numbers. PracticeMax said further notification letters started to be sent to individuals who had not previously been notified on March 4, 2022.

According to the recent web notice, “PracticeMax continues to assess the security of its systems and to enhance existing policies and procedures, including implementing additional technical and administrative safeguards.”

Central Indiana Orthopedics

External counsel for Central Indiana Orthopedics (CIO) has recently notified the Maine Attorney General and sent notification letters to 83,705 individuals affected by a cyberattack that was identified on October 16, 2021. While notification letters were delayed, the breach was announced on the CIO website shortly after it was detected in October 2021.

Following the discovery of suspicious network activity, CIO engaged a third-party cybersecurity firm to investigate the breach and help secure its IT systems. The investigation confirmed that files containing protected health information had been accessed by an unauthorized actor and may have been stolen in the attack. The potentially compromised data included names, addresses, Social Security numbers, and limited health information.

CIO said complimentary identity theft protection services are being offered to affected individuals, which include dark web monitoring and a $1 million identity theft insurance policy. Databreaches.net has previously reported on the incident and said a threat group known as Grief claimed responsibility and had uploaded some of the stolen data to the group’s data leak site.

Ascension Michigan

Ascension Michigan has recently started notifying 27,177 individuals about a lengthy unauthorized electronic medical record access incident. Ascension Michigan said the user’s access to the system was immediately terminated when the unauthorized access was discovered. The investigation into the incident confirmed that the user had improperly accessed patient information in the EHR system from October 15, 2015, until September 8, 2021.

A review of the unauthorized access was completed on November 30, 2021, and confirmed that the following types of information had been viewed: full names, birth dates, addresses, email addresses, phone numbers, health insurance information, health insurance identification numbers and carriers, dates of service, diagnoses, treatment-related information, and, in some cases, Social Security numbers.

Following the breach, internal controls were reviewed and processes have been updated to better safeguard patient information. Credit and identity theft protection monitoring services have been offered to affected individuals.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.