HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

United Health Centers of San Joaquin Valley Notifies Patients About August 2021 Ransomware Attack

In August 2021, the Vice Society ransomware operation published data on its data leak site that had allegedly been obtained in a ransomware attack on United Health Centers of San Joaquin Valley.  On August 31, 2021, Bleeping Computer was made aware of the data leak and made multiple attempts to notify United Health Centers. Databreaches.net was also made aware of the data breach and similarly attempted to notify United Health Centers on multiple occasions. HIPAA Journal reported on the incident in September 2021.

Almost a year on and individuals whose protected health information was exposed or stolen in the attack have been notified by United Health Centers. The breach notification provided to the California Attorney General on August 12, 2022, explains that technical difficulties were experienced by United Health Centers on August 28, 2021, which caused disruption to its computer systems. Steps were immediately taken to secure its network and systems, and an investigation was launched to determine the nature of the incident.

United Health Centers said it discovered on September 22, 2021, that patient data had been exfiltrated from its systems. Third-party specialists were then engaged to confirm the scope of the data breach. The investigation confirmed that data had been exfiltrated between August 24, 2021, and August 28, 2021. A comprehensive review of the affected data was completed on April 11, 2022. United Health Centers said it “then worked expeditiously to provide notice to those patients whose information was found within those documents.”

The documents contained names, Social Security numbers, and medical record numbers. Affected individuals have been offered a one-year complimentary membership to Experian’s identity theft restoration and credit monitoring service. It is currently unclear exactly how many patients have been affected.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Lee County Emergency Medical Services Notifies Patients About Third-Party Data Breach

Lee County Emergency Medical Services has recently started notifying certain patients about a business associate-related data breach. Intermedix Corporation worked with Lee County Emergency Medical Services for almost 15 years, with the contract terminating in September 2014. Intermedix Corporation worked with a law firm, Smith, Gambrell & Russell (SGR), and certain patient data had been provided to that law firm.

Lee County Emergency Medical Services said in an August 11, 2022, breach notification on its website that it was notified on August 4, 2022, about the data breach at the law firm. SGR said it discovered on August 9, 2021, that files had been exfiltrated from its systems by an unauthorized individual, and those files contained the sensitive information of its clients. A vendor was engaged to assist with the investigation to determine the scope of the breach, and the review of the documents was completed on May 17, 2022. SGR said the breached information included names, addresses, Social Security numbers, driver’s license numbers, government IDs, and medical information, such as treatment, diagnosis, and medical history. SGR said it has taken steps to improve security and has offered affected individuals complimentary credit monitoring services.

Lee County Emergency Medical Services said it was notified about the incident on august 4, 2022, and has since been working closely with Intermedix Corporation to identify the affected individuals and said notifications. Notification letters will be sent to affected individuals within 14 to 21 days. The incident has yet to appear on the HHS’ Office for Civil Rights Breach portal so it is unclear how many individuals have been affected. Lee County Emergency Medical Services said around 2% of the records provided to SGR were compromised.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.