HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI Potentially Compromised in Hacking Incidents at Four Healthcare Providers

Four healthcare providers have recently announced their IT systems have been compromised and patient data may have been accessed.

Hacker Gains Access to Server of New York Psychotherapy and Counseling Center

New York Psychotherapy and Counseling Center (NYPCC), an NYC-based non-profit mental health services provider, has announced it was the victim of a cyberattack that was discovered on September 11, 2021.

Steps were immediately taken to secure its systems and prevent further unauthorized access and a third-party cybersecurity firm was engaged to conduct a forensic investigation to determine the nature and scope of the attack. NYPCC said its electronic medical record system was not compromised; however, the attacker is believed to have accessed some files on the server that contained patients’ protected health information (PHI).

A review of the files on the server revealed the following information may have been compromised: names, dates of service, addresses, Medicaid IDs, and dates of birth. NYPCC said it is committed to continually reviewing and updating its security protocols related to the protected health information of patients.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Affected individuals have been notified by mail and have been offered complimentary identity monitoring, credit monitoring, and other related services to protect them against any misuse of their information.

The incident has been reported to the HHS’ Office for Civil Rights as affecting 28,000 individuals.

The Urology Center of Colorado Network Accessed by Unauthorized Individual

The Urology Center of Colorado (TUCC) has discovered parts of its computer network have been accessed by an unauthorized individual. The security breach was detected and blocked on September 8, 2021, with the breach investigation confirming the attack started the previous day.

The compromised parts of its network were reviewed to determine whether any patient data may have been accessed. TUCC said the review found the following types of protected health information had been exposed: name, date of birth, Social Security number, address, phone number, email address, medical record number, diagnosis, treating physician, insurance provider, treatment cost, and/or guarantor name.

TUCC said account passwords were changed to prevent further unauthorized access and additional security measures are being considered to prevent further data breaches. Out of an abundance of caution, TUCC is offering complimentary credit monitoring and identity protection services to affected individuals.

The HHS’ Office for Civil Rights’ breach portal indicates the protected health information of 137,820 individuals was potentially compromised.

Mowery Clinic Alerts Patients About September 2021 Cyberattack

Mowery Clinic in Salina, KS, has started notifying certain patients about a cyberattack that was detected on September 14, 2021. Action was immediately taken to secure its systems and prevent further unauthorized access and a third-party cybersecurity firm was engaged to conduct a forensic investigation.

The forensic investigation confirmed the attacker had not accessed the electronic health record system, but malware had been deployed that allowed the attacker to access and acquire documents that contained employee and patient information.

At this stage of the investigation, no evidence has been found of any actual or attempted misuse of patient data. The types of information potentially obtained include names, addresses, dates of birth, medical information such as office/diagnostic notes, and a limited number of Social Security numbers. In some cases, information about an employee’s spouse, dependents, beneficiaries, or minor children may have been compromised.

The clinic is still investigating the incident to determine exactly how access to its network was gained. Appropriate measures will be implemented to prevent similar breaches in the future.

Prairie Lakes Healthcare System Says Hacker Gained Access to Some of Its IT Systems

Watertown, S.D.-based Prairie Lakes Healthcare System has discovered an unauthorized individual has gained access to a small number of its IT systems.

The healthcare system learned of the attack on October 6, 2021, when it experienced disruption to parts of its network. Rapid action was taken to isolate the affected systems and prevent further unauthorized access, and a third-party cybersecurity firm was engaged to investigate the incident and assist with remediation efforts.

Prairie Lakes Healthcare said all the affected systems have now been restored; however, the investigation into the security breach is ongoing. At this stage of the investigation, no evidence of unauthorized access or exfiltration of patient data has been found. If patient data is believed to have been compromised, notification letters will be sent to affected individuals.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.