Third Party Data Breaches Reported by Apple Valley Clinic & BioTel Heart

Apple Valley Clinic in Minnesota has started notifying 157,939 patients that some of their protected health information was compromised in a ransomware attack on one of its information technology vendors.

Apple Valley Clinic, which is part of Allina Health, used Netgain Technology LLC to host its information technology network and computer systems. In November 2020, Netgain was attacked with ransomware which took its data centers offline. Netgain notified Apple Valley Clinic on December 2, 2020 that patient data may have been compromised in the ransomware attack. Allina Health received confirmation on January 29, 2021 that patient information had been involved.

The types of information compromised included names, dates of birth, bank account and routing numbers, Social Security numbers, patient billing information, and some medical information including symptoms and diagnoses. While several healthcare providers had PHI compromised, Apple Valley Clinic was the only Allina Health location to be affected.

Apple Valley Clinic has since taken steps to improve information security, including transitioning to the electronic health record system used by Allina Health. Netgain is continuing to investigate the attack and is monitoring for any adverse effects from the breach.

To date, Apple Valley Clinic has not received any reports to suggest any protected health information compromised in the attack has been misused; however, in order to ensure affected patients are protected, complimentary credit monitoring and identity theft protection services are being offered.

BioTel Heart Alerts 38,575 Patients to Online Exposure of PHI

The cardiac data company BioTel Heart has confirmed the protected health information of 38,575 patients has been exposed online by one of its vendors.

BioTel Heart, a trade name under which CardioNet, LLC and LifeWatch Services Inc., operate, was alerted to a breach on January 28, 2021 when a patient discovered some of their protected health information was accessible online from a Google search. An investigation was launched to determine the cause of the breach which revealed one of its vendors had failed to secure an Amazon S3 bucket, which resulted in patient information being accessible through the search engines. The investigation confirmed that patient data was accessible from October 17, 2019 to August 9, 2020.

The types of information accessible through the search engines included names, contact information, dates of birth, health insurance information, and health information related to remote cardiac monitoring services, such as diagnoses, diagnostic tests, prescribing physicians’ names, and treatment information. While Social Security numbers are not requested by BioTel Heart, some Social Security numbers were also compromised.

BioTel Heart has confirmed that the vendor fixed the issue and secured the data on August 9, 2020. The business relationship with the vendor has since been terminated.

The vendor was notified about the breach via Amazon following the discovery of the exposed data by a security researcher, as reported in August 2020 by The vendor appears not to have reported the breach to BioTel Heart.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.