Sierra Nevada Primary Care Physicians Alerts Patients About Theft of PHI
Sierra Nevada Primary Care Physicians in California is alerting 1,717 patients about an incident involving the theft of some of their protected health information, including names and credit card information.
On May 20, 2021, Sierra Nevada Primary Care Physicians was notified by the District Attorney’s office that two envelopes containing receipts from the practice had been found in the vehicle of a suspect.
The receipts were for payments made by patients between January 1, 2019 and March 20, 2019. For individuals who paid in person at the front desk using a debit or credit card, the receipts contained the individual’s name, name of the practice, amount charged, and the last four digits of the card number. Receipts for payments made by individuals using a debit card or credit card by mail or over the phone included that individual’s name, debit/credit card number, expiry date, CVV code, signature, practice name, and amount charged.
The District Attorney confirmed that the two envelopes and receipts were recovered and the perpetrators were arrested. Sierra Nevada Primary Care Physicians has offered affected individuals 12 months of complimentary credit monitoring services but believes misuse of information is unlikely. Steps have since been taken to improve security, including keeping receipts in a locked room that only two individuals can access, and all receipts now have the credit card information blacked out.
University of Maryland, Baltimore Impacted by Accellion Cyberattack
University of Maryland, Baltimore has announced the protected health information of 30,468 individuals was compromised in a cyberattack on its Accellion File Transfer Appliance (FTA) in December 2020.
Hackers gained access to the system, exfiltrated data, and issued a ransom demand for the safe return of the stolen data. Some of that information was subsequently published on the hacker’s data leak site.
University of Maryland said the system was used by students and faculty staff and was rigorously monitored and patches to fix security issues were promptly applied; however, in this instance, a vulnerability was exploited for which a patch had not yet been released by Accellion.
A plan had already been formed to replace the system with a newer, more secure system prior to learning about the breach. The plan was executed in February 2021 and the legacy Accellion FTA appliance has now been replaced. Complimentary credit monitoring services have been offered to affected individuals.