HIPAA Breach News

559,000 Individuals Affected by Murfreesboro Medical Clinic & SurgiCenter Cyberattack

Posted by Steve Alder

Murfreesboro Medical Clinic & SurgiCenter (MMC) in Tennessee has recently confirmed that the protected health information of more than half a million patients was compromised in what it describes as “a series of attacks on our network and IT systems,” which were discovered on or around April 24, 2023.

An investigation was launched after securing its network, and it was confirmed that a “well-known cyber extortion operation” was behind the attack and gained access to the network on or around April 22, 2023.  The group was not named by MMC, but it appears to be the BianLian threat group.

MMC said it was unable to determine whether files were accessed or removed from its network; however, the parts of the network that were accessed contained files that included the protected health information of 559,000 patients. The information potentially accessed or stolen included full names, dates of birth, home addresses, phone numbers, copies of driver’s licenses, full or partial social security numbers, dependent information, dates of service, medical and diagnostic information related to those dates of service, test results, procedure notes, prescription information, medical record numbers, and insurance and enrolment information.

MMC said it rebuilt its network and has implemented advanced security features to prevent similar breaches in the future, and said the attack appeared not to have resulted in any loss of data. As a precaution against identity theft and fraud, affected individuals have been offered 24 months of complimentary credit monitoring services.

PHI of More Than 24,000 Mount Desert Island Hospital Patients Exposed

Mount Desert Island Hospital in Bar Harbor, ME, has issued a statement about a security incident that was detected on May 4, 2023. An investigation was launched when suspicious activity was detected in its computer systems, which confirmed certain parts of its network had been accessed by unauthorized individuals between April 28, 2023, and May 7, 2023.

A review of all files on the compromised parts of the network confirmed that protected health information had been exposed, including names, addresses, birth dates, driver’s license/state identification numbers, Social Security numbers, financial account information, medical record numbers, Medicare or Medicaid identification numbers, mental or physical treatment/condition information, diagnosis codes/information, dates of service, admission/discharge dates, prescription information, billing/claims information, personal representative/guardian names, and health insurance information.

Third-party security specialists were engaged to re-secure its network and implemented additional security precautions, and a review has been conducted of its data protection policies and procedures. Complimentary credit monitoring services have been offered to the 24,180 affected individuals.

ARx Patient Solutions Reports Email Account Breach from 2022

The Kansas-based healthcare provider, ARx Patient Solutions, has recently notified the Maine Attorney General about a security breach that has affected 41,116 individuals, including individuals who used the ARx Patient Solutions Pharmacy.

In March 2022, an unauthorized individual accessed the email account of an employee. A third-party cybersecurity firm was engaged to investigate the breach and determined that the following types of information had been exposed: first name, last name, prescription information, patient account number, health insurance account member number, health insurance group number, doctor’s name, and in some limited cases, Social Security number. Many of the individuals affected were minors.

The investigation, which included dark web monitoring, has not identified any evidence of misuse of the exposed data. ARx Patient Solutions said it has strengthened system security by implementing XDR threat monitoring systems, proactive vulnerability management programs, active system scanning solutions, and has made significant investments in its Security Operations department. Affected individuals were notified on June 30, 2023, and have been offered a one-year membership to an identity theft monitoring service.

City of San Luis Reports Email Breach Affecting 6,848 Individuals

The City of San Luis in Arizona has discovered unauthorized access to an employee’s email account that contained the protected health information of 6,848 individuals. Suspicious activity was detected in the email account on March 7, 2023, and the forensic investigation confirmed the account was accessed without authorization between February 1, 2023, and February 23, 2023. The review of the emails and attachments was completed on May 4, 2023, then contact information was verified to allow notification letters to be sent. Affected individuals had one or more of the following exposed: name, address, driver’s license number, health insurance information, medical information, date of birth, and Social Security number.

Arizona Medicaid Agency Reports Exposure of Medicaid Recipients’ PHI

The Arizona state Medicaid agency, Arizona Health Care Cost Containment System (AHCCCS), has confirmed that 2,632 Medicaid recipients have had some of their protected health information exposed. On May 11, 2023, a vulnerability was identified in the HEAplus system toolbar on the e-Arizona website, which allowed sensitive information to be accessed. The information exposed was limited to first and last names, addresses, and the last four digits of Social Security numbers. AHCCCS has made security updates that it says will prevent similar breaches from occurring again and notified the affected individuals by mail on July 3, 2023.

Vitality Group Suffers MOVEit Data Breach

Vitality Group, a Chicago, IL-based behavioral engagement platform provider, suffered a data breach on May 30, 2023, when hackers exploited a zero-day vulnerability in the MOVEit file transfer solution. The breach was detected by its IT security staff on June 1, 2023, and steps were immediately taken to prevent further unauthorized access; however, during a 2-hour time span, hackers had access to the server where the MOVEit application was installed and potentially stole sensitive data such as names, mailing addresses, dates of birth, email addresses, and Social Security numbers.

Vitality Group is offering two years of complimentary credit monitoring and identity theft protection services to individuals who had their Social Security numbers exposed. It is currently unclear how many of its clients were affected, but one of those is known to be the Los Angeles, CA-based AltaMed Health Services Corporation.

The post 559,000 Individuals Affected by Murfreesboro Medical Clinic & SurgiCenter Cyberattack appeared first on HIPAA Journal.

Cyberattacks Reported by Precision Imaging Centers, Marshall & Melhorn, and Atrium Health Wake Forest Baptist

Posted by Steve Alder

Precision Imaging Centers in Jacksonville, FL, has recently notified 31,010 patients about a security breach that occurred on or around November 2, 2022. Unauthorized individuals gained access to its network and exfiltrated files containing sensitive patient information. The compromised information varied from patient to patient and may have included first and last names, addresses, dates of birth, Social Security numbers, driver’s license numbers, government-issued identification numbers, health insurance information, medical conditions/diagnoses, and other health or medical information.

Precision Imaging Centers said the attack was conducted by a high-profile threat actor group, and shortly after the attack was confirmed, a law enforcement operation resulted in the threat group’s websites and servers being seized, which suggests the threat actor behind the attack was the Hive ransomware group. Precision Imaging Centers said no evidence of misuse of personal information has been detected.

Precision Imaging Centers isolated its network when the breach was detected, and a forensic investigation and document review were conducted. Precision Imaging Centers said that the document review concluded on June 20, 2023, and notification letters were mailed on June 22, 2023. Affected individuals have been offered credit monitoring and identity theft protection services through IDX. Precision Imaging Centers has implemented new systems and has enhanced its security protocols to prevent similar attacks in the future.

Ohio Law Firm Notifies Individuals About September 2021 Data Breach

The Toledo, OH-based law firm, Marshall & Melhorn, LLC, recently started notifying 9,412 individuals that some of their protected health information was exposed in a 2021 cyberattack. According to the notification letters, a computer network outage occurred on September 14, 2021. An investigation was immediately launched, and it was determined that an unauthorized actor had access to its network from August 20, 2021, to September 14, 2021; however, the investigation was unable to determine the exact files that had been accessed or obtained.

Marshall & Melhorn said it conducted a review of all files potentially involved, and that process was completed on May 19, 2023, 18 months after the breach was detected. Efforts were then made to contact the affected clients and obtain up-to-date contact information. That process was completed on May 19, 2023, and notification letters were mailed on June 7, 2023, including on behalf of its client, Lima Memorial Health System.

The information potentially accessed included names, addresses, Social Security numbers, financial account information, driver’s licenses and state identification information, passport information, medical information, and health insurance information. The law firm says it has implemented additional cybersecurity measures in response to the breach and has detected no misuse of the exposed information. Credit monitoring services do not appear to have been offered.

Atrium Health Wake Forest Baptist Suffers Phishing Attack

Atrium Health Wake Forest Baptist in Winston-Salem, NC, has recently announced that patient information was stored in an employee email account that was accessed by unauthorized individuals as a result of the employee being tricked by a phishing email.

The attack occurred on April 20, 2023, and the unauthorized access was detected and blocked the same day. The forensic investigation confirmed that unauthorized access had been blocked, the breach was confined to a single email account, and that the email account contained the protected health information of 3,679 individuals. While protected health information may have been viewed or obtained, the forensic investigation determined that the unauthorized access was not focused on the content of the email account.

The information in the account varied from patient to patient and likely included one or more of the following: name, date of birth, hospital account record number, health insurance information, treatment cost information, and/or clinical information, such as date(s) of service, provider name, and location(s) of service. For a limited number of individuals, Social Security numbers were also exposed.

Notification letters have been mailed and individuals who had their Social Security numbers exposed have been offered complimentary credit monitoring and identity protection services. Security controls have been enhanced and phishing training will continue to be provided to the workforce.

The post Cyberattacks Reported by Precision Imaging Centers, Marshall & Melhorn, and Atrium Health Wake Forest Baptist appeared first on HIPAA Journal.

Cyberattack Affects Multiple Residential Care Facilities in Pennsylvania

Posted by Steve Alder

The Williamsport Home, a retirement village in Pennsylvania, and Senior Choice, Inc., a provider of skilled nursing care at three inpatient facilities in Pennsylvania – The Atrium in Johnstown, Beacon Ridge in Indiana, and The Patriot in Somerset – have been affected by a cyberattack that was detected on April 24, 2023.

Steps were immediately taken to secure the network when the security breach was detected and while the investigation into the cyberattack is ongoing, it has been determined that unauthorized individuals gained access to certain business operation systems between April 18 and April 24, 2023. The systems used directly for residential care do not appear to have been compromised; however, the business systems compromised in the attack contained protected health information that was potentially accessed or obtained.

The types of information that were exposed varied from individual to individual and may have included one or more of the following: Name, address, birth date, admission date, discharge date, death date, medical record number, provider or facility name, medical condition, diagnosis and/or treatment information, lab results, medications, payment amount history information, insurance payment amount information, date of service, Social Security number, financial account information, credit card number, medical information, health insurance information, driver’s license or state identification number, passport number, and any information on an individual that was created, used, or disclosed in the course of providing health care services.

Additional technical safeguards are being implemented to improve security to prevent similar breaches in the future. It has not yet been determined how many individuals have been affected so all individuals that are currently receiving services or have done in the past should therefore be vigilant against any misuse of their information. To meet the breach reporting requirements of the HIPAA Breach Notification Rule, the breach has been reported to the HHS by The Williamsport Home and Senior Choice as affecting at least 500 individuals. The totals will be updated when it has been confirmed how many individuals have been affected.

The post Cyberattack Affects Multiple Residential Care Facilities in Pennsylvania appeared first on HIPAA Journal.

Activate Healthcare Reports Security Breach Affects Up to 93,761 Patients

Posted by Steve Alder

The Illinois-based healthcare provider, Activate Healthcare, LLC, has recently confirmed that it suffered a security breach that resulted in the theft of patient data. Suspicious activity was detected within its IT systems on April 27, 2023, and the subsequent forensic investigation confirmed that an unauthorized third party had access to its network between April 22, 2023, and April 28, 2023.

On April 29, 2023, it was confirmed that files had been exfiltrated that included patient information such as names, dates of birth, addresses, Social Security numbers, driver’s license numbers, and clinical information, such as provider names, dates of service, and/or diagnoses. At the time of issuing notification letters, no evidence of misuse of patient data had been detected; however, as a precaution, affected individuals have been offered complimentary credit monitoring and identity protection services.  Activate Healthcare said steps will continue to be taken to enhance the security of its computer systems.

The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 93,761 patients.

Community Research Foundation Confirms 30,000-Record Data Breach

Community Research Foundation (CRF), a San Diego, CA-based non-profit research foundation that develops and operates programs focused on the treatment, education, and rehabilitation of individuals with mental health problems and substance use problems, has recently confirmed that sensitive health data was accessed by an unauthorized individual last year.

CRF detected a security breach on October 13, 2022, and third-party cybersecurity experts were engaged to investigate the incident. CRF said the review of the affected files concluded on April 19, 2023, when it was determined that the protected health information of individuals who sought medical services through medical and/or social service programs that CRF supports was involved. That information included names, Social Security numbers, driver’s license numbers, dates of birth, medical treatment and/or diagnosis information, and/or health insurance information.

CRF said after confirming which individuals had been affected, contact information needed to be verified to allow notification letters to be mailed, hence the delay in issuing notifications. The breach notice makes no mention of when access to its systems was gained, and credit monitoring services do not appear to have been offered to affected individuals.

The data breach was recently reported to the HHS’ Office for Civil Rights as affecting up to 30,057 individuals.

Henrietta Johnson Medical Center Patients Affected by Data Breach at Delaware Health Network

The Henrietta Johnson Medical Center (HJMC) in Wilmington, DE, has been affected by a security incident at the healthcare-controlled network provider and electronic health records management provider, Delaware Health Network (DHN). According to the HJMC notice, unauthorized individuals gained access to certain DHN systems on or around April 5, 2023, and copied files from those systems. DHN is currently investigating the incident to determine the extent of the data breach but has notified HJMC and other clients that their data may have been impacted.

HJMC has not yet been informed of the number of patients that have been affected. Based on the findings of the forensic investigation to date, the following data types may have been exposed: full name, dates of birth, ethnicity, medical record number, diagnosis code, lab information, and health insurance information. DHN has confirmed that Social Security numbers and financial account information were not viewed or stolen.

HJMC said it is reviewing its policies and procedures relating to third-party vendors and will continue to pursue information from DHN about the event. Out of an abundance of caution, notifications will be sent to all patients. The breach has been reported to the HHS’ Office for Civil Rights as affecting 500 individuals. That number will be updated when DHN confirms how many patients have been affected.

The post Activate Healthcare Reports Security Breach Affects Up to 93,761 Patients appeared first on HIPAA Journal.

HIPAA Business Associate Fined $75,000 for Maintaining ePHI on an Unsecured Server

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has agreed to settle potential HIPAA violations with the HIPAA business associate, iHealth Solutions, LLC, for $75,000.

iHealth Solutions, doing business as Advantum Health, failed to secure one of its servers, which was accessed by an unauthorized individual who exfiltrated files that contained the electronic protected health information (ePHI) of 267 individuals. The HIPAA enforcement action shows that even relatively small data breaches can be investigated by OCR and result in a financial penalty. The last three penalties imposed by OCR to resolve HIPAA violations were all related to data breaches that affected fewer than 500 individuals.

Like many HIPAA-regulated entities that have been investigated by OCR after reporting data breaches, iHealth Solutions was discovered to have failed to comply with one of the most fundamental provisions of the HIPAA Rules – the risk analysis. All HIPAA-regulated entities must conduct an accurate, thorough, organization-wide risk analysis to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI – 45 C.F.R. §164.502(a).

OCR was notified about the data breach on August 22, 2017, and was informed that the ePHI of 267 individuals had been exfiltrated from the unsecured server. The fine was imposed for the impermissible disclosure of ePHI and the risk analysis failure.

In addition to the financial penalty, iHealth Solutions has agreed to implement a corrective action plan which includes the requirement to conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of iHealth’s ePHI, develop a risk management plan to address and mitigate all security risks identified in the risk analysis, develop a process to evaluate any environmental or operational changes that affect the security of iHealth ePHI, and develop, maintain, and revise, as necessary, written policies and procedures to ensure compliance with the HIPAA Privacy and Security Rules. OCR will monitor iHealth Solutions for two years to ensure compliance with the HIPAA Rules.

“HIPAA business associates must protect the privacy and security of the health information they are entrusted with by HIPAA-covered entities,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity includes ensuring that electronic protected health information is secure, and not accessible to just anyone with an internet connection.”

This is the 7th OCR enforcement action of 2023 to result in a financial penalty, and the third enforcement action to be announced by OCR this month. So far this year, OCR has fined HIPAA-regulated entities a total of $1,976,500 to resolve violations of the HIPAA Rules.  See HIPAA Violation Fines.

The post HIPAA Business Associate Fined $75,000 for Maintaining ePHI on an Unsecured Server appeared first on HIPAA Journal.

Great Valley Cardiology Sued over 181,000-Record Data Breach

Posted by Steve Alder

A lawsuit has been filed against the Commonwealth Health cardiology group, Great Valley Cardiology (GVC), over a recently disclosed security incident in which hackers gained access to GVC’s computer network and the protected health information (PHI) of 181,764 individuals.

The data breach was discovered on April 13, 2023; however, the forensic investigation confirmed that hackers first gained access to its network 2 months previously on February 2, 2023. The review of the files potentially accessed or stolen confirmed they contained PHI such as names, medical information, Social Security numbers, credit/debit card information, and banking information. Individuals started to be notified about the data breach on June 12, 2023, as time was required to identify all affected individuals and verify contact information to allow notification letters to be mailed. Affected individuals were offered 24 months of complimentary credit monitoring and identity theft protection services.

A lawsuit was filed in Lackawanna County Court by attorney Andrew W. Ferich of the law firm Ahdoot & Wolfson, PC, against Commonwealth Health Physician Network, doing business as Great Valley Cardiology and Scranton Cardiovascular Physician Services LLC on behalf of plaintiff Michele Jarrow and similarly situated individuals who had their PHI compromised in the incident.

The defendants have not detected any misuse of patient information as a result of the breach; however, the lawsuit claims that patient information has been exposed and there is no way to ensure that the exposed information will not be misused. Consequently, the plaintiff and class members will need to spend time and money protecting themselves against fraud and identity theft for many years, and potentially for life. The plaintiff claims that she was informed by her security software that her personal information has been posted on the dark web, making it available to cybercriminals such as identity thieves.

In addition to failing to prevent the data breach, the lawsuit takes issue with the time taken to notify affected individuals that their data has been exposed. Notification letters were issued two months after the breach was detected and four months after the breach occurred, which the lawsuit alleges compounded the potential injury. The lawsuit alleges negligence, breach of fiduciary duty breach of contract, and unjust enrichment and seeks class action status, a jury trial, damages, and attorneys’ fees.

Lawsuits are often filed in response to healthcare data breaches, but Article III standing is often only granted if the plaintiffs can prove they have suffered a concrete injury. Lawsuits that only allege a future risk of injury or harm as a result of a security breach often fail to be granted standing, even if stolen data has been published on the dark web.

The post Great Valley Cardiology Sued over 181,000-Record Data Breach appeared first on HIPAA Journal.

Good Samaritan Hospital Settles Class Action Data Breach Lawsuit

Posted by Steve Alder

Good Samaritan Hospital in San Jose, CA, has agreed to settle a class action lawsuit that was filed in response to a data breach that exposed the protected health information of up to 233,835 individuals. According to the hospital, unauthorized individuals gained access to an employee email account between October 28 and November 8, 2019, which contained sensitive patient data such as names, birth dates, Social Security numbers, driver’s license numbers, passport numbers, tax identification numbers, financial account numbers, treatment/diagnosis information, health insurance information, billing information, doctors’ names, medical record numbers, medical histories, prescription information, Medicare/Medicaid IDs and patient account numbers.

A lawsuit – Young, et al. v. Good Samaritan Hospital­­ – was filed in the California Superior Court for Los Angeles County against the hospital on behalf of individuals impacted by the data breach. The lawsuit claims the hospital acted unlawfully by failing to prevent the data breach and alleged negligence, violations of the California Confidentiality of Medical Information Act (CMIA), and unlawful/unfair business practices, in violation of California Business and Professions Code.

Good Samaritan Hospital denied all of the allegations, maintains there was no wrongdoing, and claims it was fully compliant with all federal and state laws; however, the decision was taken to settle the lawsuit to avoid further legal costs and the uncertainty of trial. The proposed settlement has been agreed upon by all parties but has yet to receive final approval from a judge. The final approval hearing has been scheduled for Sept. 5, 2023.

The total settlement fund has not been disclosed; however, all class members are entitled to claim up to $1,500 as reimbursement for ordinary expenses, which are documented expenses that were incurred as a result of the data breach. Ordinary expenses include credit monitoring costs, phone calls, interest on loans, communication charges, card re-issuance fees, and unreimbursed bank fees. Individuals that have suffered identity theft, medical fraud, tax fraud, other forms of fraud, and other actual misuses of their personal information, can submit claims for documented, unreimbursed extraordinary losses that are reasonably traceable to the data breach of up to a maximum of $5,000.

The deadline for exclusion from and objection to the settlement is July 18, 2023, and all claims must be submitted by July 18, 2023. The class members were represented by Joshua B Swigart of Swigart Law Group AFC and Gayle M Blatt of Casey Gerry Schenk Francavilla Blatt & Penfield LLP.

The post Good Samaritan Hospital Settles Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

15-Year Employee Privacy Breach Discovered by Metro Health System

Posted by Steve Alder

Metro Health System in Cleveland, OH, has discovered an employee has accessed patient records without a valid work reason. The unauthorized access was discovered on April 27, 2023, and the subsequent investigation confirmed that patient records had been accessed without authorization at various times over the past 15 years. The earliest incident occurred in 2008.

The information viewed included patient names, dates of birth, and clinical information. No Social Security numbers or financial information were accessed. A spokesperson for Metro Health said the employee has been disciplined per its sanctions policy and no evidence has been found to indicate redisclosure of patient data or any misuse of that information. Affected individuals are being notified by mail, steps are being taken to improve its privacy practices, and further training has been provided to the workforce.

COX Health Affected by Hacking of Fortra GoAnywhere File Transfer Solution

Springfield, MO-based CoxHealth has recently confirmed that patient data was compromised in a January 2023 cyberattack on its billing vendor, Intellihartx. The Clop ransomware group exploited a vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) solution, stole sensitive data, and demanded a ransom to prevent the release of that information.

CoxHealth says up to 203,000 patients had their protected health information stolen in the attack, including names, addresses, birth dates, Social Security numbers, diagnoses, and billing and insurance information. The 203K figure is the maximum number of patients that could have been affected. It was not possible to determine with any degree of certainty exactly how many individuals had been affected. Intellihartx has offered complimentary credit monitoring and identity theft protection services to affected individuals.

SoutheastHealth Issues Statement About Potential Vendor Breach

SoutheastHealth in Cape Girardeau, MO, has issued a statement about a potential data breach at a vendor, ITX (Intellihartx).  SoutheastHealth said it learned about a potential breach when one of its patients said they had received a letter from Intellihartx saying their protected health information had been exposed and potentially stolen.

SoutheastHealth said names, addresses, dates of birth, billing information, insurance information, diagnoses, medications, and Social Security numbers were potentially stolen in the attack on the file transfer solution and confirmed that its own systems were not affected. SoutheastHealth said it does not currently have a business relationship with Intellihartx and no formal notification was received from Intellihartx confirming SoutheastHealth was one of the companies affected.

The post 15-Year Employee Privacy Breach Discovered by Metro Health System appeared first on HIPAA Journal.

Atlantic General Hospital Increases Ransomware Victim Count to Almost 140,000 Individuals

Posted by Steve Alder

In March 2023, Atlantic General Hospital notified the Maine Attorney General that it had fallen victim to a ransomware attack in which the protected health information of 30,704 individuals was exposed; however, the ransomware attack was far more extensive than was previously thought and the total has been upwardly revised to 136,981 individuals.

The attack was detected on January 29, 2023, and the forensic investigation confirmed hackers had access to its network between January 20 and January 29, 2023. The initial review of files that were potentially compromised in the breach was completed on March 6, 2023, and confirmed that names, medical record numbers, treating/referring physician names, health insurance information, subscriber numbers, medical history information, and diagnosis/treatment information may have been accessed or acquired. Notification letters were sent on March 24, 2023, and complimentary credit and identity monitoring services were offered to affected individuals.

The investigation into the attack continued, and additional files were discovered to have been compromised. The review of those files was completed on May 15, 2023, and after obtaining up-to-date contact information, additional notification letters were sent to affected individuals on June 22, 2023. The compromised information included names in combination with one or more of the following: Social Security number, date of birth, financial account information, medical/treatment information, and health insurance information. Those individuals have also been offered complimentary credit and identity monitoring services. Atlantic General Hospital says it is working on implementing additional safeguards to improve data security and has provided further training to its workforce.

Palomar Health Patients Impacted by PharMerica Ransomware Attack

Palomar Health in San Diego, CA, has recently confirmed that patient data was exposed in a ransomware attack on its business associate, PharMerica, a nationwide provider of pharmacy services. The ransomware attack was detected on or around March 14, 2023, and the forensic investigation confirmed that at least 5,815,591 individuals had been affected. The attack was conducted by the Money Message ransomware group, which added the stolen data to its leak site in late March. The attack has been covered in more detail here.

Palomar Health has confirmed that the following data was potentially compromised in the attack: name, address, date of birth, Social Security number, medications, and health insurance information. Individuals affected received care at Palomar Continuing Care Center in Escondido or The Villas at Poway (Villa Pomerado) between 2001 and 2020. PharMerica is offering complimentary credit and identity theft monitoring services to the affected individuals and is issuing notification letters to patients directly. It is currently unclear how many Palomar Health patients have been affected.

Desert Physicians Management Cyberattack Affects Patients of its Healthcare Provider Clients

Desert Physicians Management in Apple Valley, CA, a provider of administrative support services to physicians’ groups, including Choice Physicians Network/Choice Medical Group, Choice Healthcare Associates, and Horizon Valley Medical Group, has recently announced that unauthorized individuals gained access to its computer systems and copied certain files from its network.

The security breach was detected on April 23, 2023, and the forensic investigation confirmed on or around May 18, 2023, that some of the files acquired by the attackers included protected health information provided by its healthcare provider clients. The compromised information was limited to names, addresses, dates of birth, health insurance information, and clinical information, including diagnosis, treatment information, and/or medication information. Desert Physicians Management said additional security measures have been implemented to help prevent similar incidents from occurring in the future.

The post Atlantic General Hospital Increases Ransomware Victim Count to Almost 140,000 Individuals appeared first on HIPAA Journal.