San Juan Regional Medical Center Data Breach Affects 68,792 Patients

San Juan Regional Medical Center has recently notified tens of thousands of its patients about a security breach that occurred in the fall of 2020. The Farmington, NM medical center discovered its network had been accessed by an unauthorized individual on September 8, 2020. Prompt action was taken to prevent further unauthorized access and an investigation was launched to determine the nature and extent of the breach.

The forensic investigation revealed the attacker exfiltrated files between September 7th and 8th, with a manual review of those files confirming they contained the protected health information of 68,792 patients. The types of information in the files varied from patient to patient and included names in combination with one or more of the following date elements:

Dates of birth, Social Security numbers, driver’s license numbers, passport information, financial account numbers, health insurance information, diagnoses, treatment information, medical record numbers, and patient account numbers.

While data theft was confirmed, no evidence has been found to indicate any of the stolen PHI has been misused. Complimentary credit monitoring services have been offered to individuals whose Social Security number was compromised. Steps have also been taken to secure its network and improve internal processes to prevent further security breaches.

Coastal Medical Group Reports Hacking and Data Theft Incident

Old Bridge, NJ-based Coastal Medical Group, a gastroenterology and internal medicine specialist, has suffered a security breach in which patient data has potentially been compromised. The practice, which is listed as permanently closed, discovered the breach on April 21, 2021.

The investigation into the breach indicates systems were first compromised on March 25, 2021. According to a statement released by the practice, incident response and recovery procedures were immediately implemented, and the practice worked quickly to assess the security of its systems and prevent further unauthorized access.

The investigation confirmed that files containing protected health information were acquired by the attacker, which included full names, home addresses, dates of birth, other demographic and contact information, Social Security numbers, insurance information, diagnoses, and treatment information.

The practice has notified all affected patients by mail and has offered complimentary credit monitoring and identity theft protection services. Steps have also been taken to secure its systems to prevent any further breaches.

It is currently unclear how many individuals have been affected.

Springfield Psychological Reports Email Error

Pennsylvania-based Springfield Psychological has notified certain current, former, and prospective patients about an email error that exposed email addresses. A routine marketing email was sent on June 9, 2020; however, rather than having the recipients’ email addresses hidden, the email was sent in a way that made recipients’ email addresses visible to all recipients.

Aside from identifying individuals as having received or considered receiving healthcare services from Springfield Psychological, the only information exposed were email addresses.

Springfield Psychological contacted the HHS’ Office for Civil Rights about the incident in the fall of 2020 and on May 25, 2021, OCR informed Springfield Psychological that the incident was a reportable breach under HIPAA. Affected individuals were then promptly notified.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.