Sarasota MRI, Consociate Health, & Upstate Homecare Notify Patients About Data Breaches

Sarasota MRI, Consociate Health, and Upstate Homecare have recently notified regulators and patients about security incidents involving personal and protected health information.

Upstate Homecare Notifies 5,100 Patients About Ransomware Attack

The Albany, NY-based home healthcare provider, Upstate Healthcare, has notified 5,114 patients about a recent ransomware attack in which patient data was stolen.

It is unclear from the breach notification letters when the attack occurred; however, an investigation conducted by a third-party cybersecurity firm determined on November 4, 2021, that patient data had been stolen and posted to a data leak website on the darknet.

The stolen data included full names, dates of birth, addresses, telephone numbers, email addresses, driver’s license numbers, bank account information, Social Security numbers, treatment information physicians’ names, patient ID numbers, and Medicare/Medicaid numbers.

Following the attack, Upstate Healthcare performed a comprehensive review of its security measures and has implemented additional safeguards to better protect its systems and data against future attacks. Affected individuals were notified on November 24, 2021, and have been offered complimentary access to identity theft monitoring and restoration services.

Sarasota MRI Notifies Patients About Potential PHI Exposure

Florida-based Sarasota MRI has started notifying certain patients about the potential exposure of some of their protected health information. In late July 2020, Sarasota MRI was contacted by a third-party, unaffiliated cybersecurity firm and was notified that one of its servers had been misconfigured, which allowed information on the server to be accessed.

The server in question was determined not to be in use and data had been migrated to a different server. Further, a review of the server uncovered no evidence to suggest it had been accessed by unauthorized individuals, other than the security company that detected the misconfiguration.

However, since it was not possible to rule out the exposure of individuals’ names, dates of birth, medical records, and medical images, affected individuals are now being notified. According to the breach notification letter sent to the Vermont attorney general on November 12, 2021, Sarasota moved quickly to correct the misconfiguration and conducted an investigation into a potential breach, and has taken steps to ensure the security of its systems.

Consociate Health Discovers Breach at Employee Benefits Plan Administrator

Consociate Health, a provider of employee benefits programs and plan administration services, has recently completed a 10-month investigation into a data breach involving the protected health information of 982 individuals. The investigation revealed the breach only affected the PHI of individuals from January 1, 2014, through December 31, 2015.

The types of exposed data included names, addresses, dates of birth, diagnosis codes, medical record numbers, health insurance information, medical record information, and Social Security numbers.

No evidence was found to indicate any PHI has been misused but, as a precaution, affected individuals have been offered complimentary access to identity theft monitoring services for 12 months.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.