Warren General Hospital Data Breach Affects 169,000 Patients
Data breaches have recently been reported by Warren General Hospital in Pennsylvania, Southwest Behavioral Health Center in Utah, CareTree in Illinois, and the Medical University of South Carolina.
Warren General Hospital Data Breach
On November 9, 2023, Warren General Hospital (WGH) in Warren, PA, announced it had fallen victim to a cyberattack that potentially affected the confidential information of current and former patients and employees. Suspicious activity was detected within its network on September 24, 2023. Assisted by third-party cybersecurity experts, WGH determined that an unauthorized actor had access to its network between September 15, 2023, and September 23, 2023, and during that time, downloaded files from its network.
The review of the files confirmed they contained names, in combination with one or more of the following: address, date of birth, Social Security number, financial account information, payment card information, health insurance claims information, and medical information, which may have included diagnosis, medications, lab results, and other treatment information.
WGH said existing policies and procedures have been reviewed, administrative and technical controls have been enhanced, and additional security training has been provided to the workforce. The breach was recently reported to the HHS’ Office for Civil Rights as affecting 168,921 patients.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Southwest Behavioral Health Center Data Breach
Southwest Behavioral Health Center, a Saint George, UT-based provider of mental health treatment and psychiatric services, has recently reported a data breach to the HHS’ Office for Civil Rights that affected 17,147 current and former patients.
A security breach was detected on March 13, 2023, and a third-party cybersecurity firm was engaged to investigate and determine the extent to which patient data had been compromised. The investigation revealed an unauthorized third party gained access to parts of its system containing files that included patient data prior to March 13, 2023; however, it was not possible to determine the specific files that may have been accessed or copied from its network.
The review of the files potentially involved confirmed they contained patient data such as names, dates of birth, Social Security numbers, personal health record information, and medical information. After verifying contact information, notification letters started to be issued on November 9, 2023, to all patients that had potentially been affected.
Medical University of South Carolina Data Breach
The Medical University of South Carolina (SUMC) in Charleston has been affected by a data breach at one of its third-party vendors. Westat collects data from SUMC patients on behalf of the Centers for Disease Control and Prevention (CDC) for public health reporting purposes. Westat used Progress Software’s MOVEit Transfer file transfer solution, a zero-day vulnerability in which was exploited by the Clop hacking group between May 28 and May 29, 2023. Westat has already reported the breach to the HHS’ Office for Civil Rights in two separate reports, one affecting 50,065 individuals and a second affecting 20,045. SUMC reported the breach as affecting 1,758 individuals and said it involved names, addresses, dates of birth, diagnoses, provider names, and insurance information.
CareTree Data Breach
CareTree Inc., a Chicago, IL-based provider of smart care management and patient advocate software for care providers, has recently confirmed there has been unauthorized access to the CareTree platform. Suspicious activity was detected within its platform on or around August 16, 2023. The forensic investigation confirmed access to the platform was gained on July 21, 2023.
The review of the affected files confirmed that they contained the information of 1,097 CareTree patients; however, CareTree was unable to confirm the specific information exposed for each patient because the information is no longer available. The types of information potentially compromised included names, addresses, driver’s license numbers, Social Security numbers, financial account information, dates of birth, medical information including diagnosis, lab results, medications or other treatment information, and/or health insurance information. In its substitute breach notice, CareTree said, “CareTree will provide notice of this event to all individuals whose personal information was involved, along with information and steps potentially impacted individuals can take to better protect their information.”
The breach has been reported to the Maine Attorney General as affecting 5,474 individuals, which suggests individuals other than patients were also affected, such as employees.
