Refuah Health Center Alerts 260K Patients About May 2021 Cyberattack

Refuah Health Center in New York has recently started notifying 260,740 patients about a security breach that occurred almost a year ago. According to the April 29, 2022, notification on the healthcare provider’s website, “We recently discovered unauthorized access to our network occurred between May 31, 2021, and June 1, 2021.” Upon discovery of the breach, an investigation was launched to determine the nature and scope of the attack, and a comprehensive review was then conducted of all documents that were potentially accessed.

Refuah Health Center said it discovered on March 2, 2022, that the attackers had exfiltrated some files from its network that contained “a limited amount” of patients’ protected health information, including names in combination with one or more of the following data types: Social Security numbers, driver’s license numbers, state identification numbers, dates of birth, bank/financial account information, credit/debit card information, medical treatment/diagnosis information, Medicare/Medicaid numbers, medical record numbers, patient account numbers, and/or health insurance policy numbers. Notification letters started to be sent to affected individuals on April 29, 2022, and complimentary credit monitoring services have been offered to individuals whose Social Security numbers were potentially compromised.

While Refuah Health Center did not disclose further information about the nature of the attack, databreaches.net reports that the attack appears to have been conducted by the Lorenz ransomware gang, which added Refuah Health Center to its list of victims on its data leak site on June 11, 2021, although that entry has now been removed.

Quantum Imaging Therapeutic Associates

Lewisberry, PA-based Quantum Imaging Therapeutic Associates, a provider of specialized diagnostic radiology services, has recently sent notification letters to patients advising them that their protected health information was exposed in a data security incident that was detected and blocked on October 7, 2021.

At the time of issuing notification letters, no evidence had been found to indicate any patient data has been accessed or stolen by the attackers, although it was not possible to rule out the possibility. The compromised parts of its network contained patient data such as names, addresses, birth dates, Social Security numbers, and information related to the radiology services provided.

After blocking the attack, Quantum launched an investigation assisted by third-party IT specialists, and has now reviewed its network environment and made improvements to security. Quantum will also be monitoring the threat landscape closely and will take proactive actions to address new threats.  Affected individuals have been offered complimentary identity theft protection services.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

RiverKids Pediatric Home Health Reports Email Security Incident

RiverKids Pediatric Home Health in Texas has recently started notifying 3,494 patients that some of their protected health information has potentially been viewed or stolen as a result of an email security incident. On March 15, 2022, RiverKids discovered an unauthorized individual had gained access to the email account of an employee. The investigation into the breach determined multiple employee email accounts had been compromised, with the review of those accounts confirming they contained patient information such as names, birthdates, addresses, and health insurance member IDs. Financial information and Social Security numbers were not exposed.

RiverKids said additional email security measures have been implemented to prevent further security incidents.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.