Cyberattack on River Region Cardiology Affects Up to 500,000 Individuals
Cyberattacks have been reported by River Region Cardiology in Alabama and Delta County Memorial Hospital District in Colorado. Lucent Health Solutions in Tennessee has notified individuals who had their data exposed in an October 2, 2023 phishing attack.
Cyberattack on River Region Cardiology Affects Up to 500,000 Individuals
River Region Cardiology in Alabama has recently notified approximately half a million current and former patients that some of their protected health information was compromised in a September 2024 security incident. Unauthorized access to its systems was detected on September 16, 2024, with the investigation confirming a hacker accessed the network via the remote connection used by an unnamed vendor. The vendor’s remote connection was severed when the unauthorized access was detected.
The review of the exposed files confirmed they contained full names, dates of birth, Social Security numbers, and patients’ sex, height, and weight. The breach was reported to the HHS’ Office for Civil Rights on December 11, 2024, as involving the protected health information of up to 500,000 individuals. River Region Cardiology explained in its substitute breach notice that it is working with external cybersecurity experts to strengthen system security to prevent similar breaches in the future and is cooperating with law enforcement and regulatory authorities to address the situation. At the time of issuing notification letters, no misuse of the exposed data had been identified.
River Region Cardiology did not disclose the name of the hacking group; however, the BianLian Threat group claimed responsibility for the attack and added River Region Cardiology to its data leak site, which suggests the ransom was not paid.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Delta County Memorial Hospital District Cyberattack Affects 148,363 Individuals
Delta County Memorial Hospital District in Colorado has discovered the protected health information of 148,363 individuals has potentially been stolen in a cyberattack. Suspicious activity was identified within its computer network on May 30, 2024, third party cybersecurity experts were engaged to investigate the activity, and law enforcement was notified. The investigation confirmed that its network had been accessed by an unauthorized third party who exfiltrated files containing patient information between May 27, 2024, and May 30, 2024.
Files on the impacted parts of the network were reviewed, and it was confirmed on November 1, 2024, that patient data had been exposed and potentially stolen. Names, addresses, phone numbers, dates of birth, financial account information, medical information, health insurance information, Social Security numbers, and driver’s license numbers were present in the exfiltrated data. The impacted data varied from patient to patient and may have included some or all of the above information. No misuse of the affected data has been detected; however, as a precaution, the affected individuals have been offered 12 months of complimentary credit monitoring and identity theft protection services.
Lucent Health Solutions Issues Notifications About October 2023 Phishing Incident
Lucent Health Solutions, a Nashville, TN-based health plan administration service provider, has notified the California Attorney General about a phishing incident that resulted in unauthorized access to a single email account.
The January 30, 2025, notification letter states that the phishing incident occurred 15 months previously on October 2, 2023, when a Lucent Health manager opened a phishing email sent from the email account of a trusted broker. The IT team identified suspicious activity within the account and terminated access within 90 minutes. Lucent Health said it commenced a prompt and thorough investigation and worked with cybersecurity experts to determine if there was any unauthorized access to protected health information. No evidence was found to indicate unauthorized access to protected information or any downloads from the email account in that 90-minute window, the email account did contain names, dates of birth, Social Security numbers, and health, dental, and vision group and/or plan numbers.
The affected individuals have been offered single bureau credit monitoring, credit report, and credit score services for 24 months as a precaution. No explanation was provided as to why it took so long to issue notifications. The HHS’ Office for Civil Rights breach portal lists the data breach as affecting 37,000 individuals.
