The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Sutter Health Confirms 84K Individuals Affected by Cyberattack on Business Associate

Posted By on Nov 15, 2023

Sutter Health, a healthcare provider serving Northern California, has recently confirmed that patient data was compromised in a hacking incident at one of its business associates, Virgin Pulse. Virgin Pulse was contracted to provide important notices and communications to patients and was provided with patient data to fulfill that role.

Virgin Pulse used Progress Software’s MOVEit Transfer file transfer tool, which had a vulnerability that was exploited by the Clop Group. Progress Software released a patch to fix the vulnerability on May 31, and Virgin Pulse said it moved quickly to apply the patch and recommended mitigation steps; however, the vulnerability had already been exploited. The vulnerability was exploited in attacks on more than 2,300 organizations and the data of more than 60 million individuals was stolen, including the data of 845,441 Sutter Health patients.

Sutter Health was informed by Virgin Pulse on September 22, 2023, that it had been affected by the hack, almost 4 months after the cyberattack occurred, but did not get the final report until October 24, 2023. The compromised data included names, dates of birth, health insurance information, provider names, treatment cost information, and diagnoses/treatment information. Sutter Health said the affected individuals have been offered a complimentary 1-year membership to a credit monitoring and identity theft protection service.

Northern Iowa Therapy Confirms Extent of March 2023 Security Incident

Waverly, IA-based Northern Iowa Therapy (NIT) has recently confirmed that the records of 5,100 patients have been exposed. The privacy breach was first identified on March 10, 2023, when NIT discovered a limited number of patient records in an account unaffiliated with NIT. An investigation was launched, and third-party forensic experts were engaged to investigate. NIT first announced the security incident on June 21, 2023, and conducted a review of the documents involved. On October 4, 2023, it was determined that patient data had been exposed. Contact information was then verified, and notification letters were sent on October 27, 2023.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The exposed information varied from individual to individual and may have included names, addresses, dates of birth, email addresses, phone numbers, medical information, mental/physical condition, Medicare IDs, Social Security numbers, driver’s license numbers, diagnoses, treatment information, dates of service, billing & claims information, health insurance information, and patient account numbers.

NIT said it continuously evaluates and modifies its security practices to enhance the privacy and security of the personal information it stores and will continue to do so.

West Central District Health Department Notifies Patients About May 2023 Cyberattack

The West Central District Health Department (WDCHD) in Nebraska has recently confirmed there has been unauthorized access to its network and patient data has been exposed. The forensic investigation confirmed that certain portions of its network were accessed between May 18, 2023, and May 23, 2023, and the review of the affected files was completed on September 18, 2023.

In its November 13, 2023, breach notice, WDCHD confirmed that the exposed information included names in combination with one or more of the following: Social Security number, driver’s license number, state ID number, and/or financial account number. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

NoEscape Ransomware Group Claims Responsibility for Attacks on 2 Healthcare Organizations

The NoEscape ransomware group has claimed responsibility for attacks on two healthcare organizations, Southeastern Orthopaedic Specialists in Greensboro, NC, and Carespring in Loveland, OH. NoEscape claims to have exfiltrated 3 GB of data from Southeastern Orthopaedic Specialists and 364 GB of data from Carespring and has issued threats on its data leak site to release the stolen data if the ransom demands are not met. In addition to data encryption and data theft/leaks, the NoEscape group often conducts DDoS attacks on victims who do not attempt to negotiate, and the group claims to have conducted such an attack on Southeastern Orthopaedic Specialists. At present no data has been released, and neither organization has publicly confirmed a cyberattack or data breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist