Data breaches have recently been reported by R1 RCM, St. Mary’s Healthcare System for Children, Philips Respironics, and California Correctional Health Care Services.

R1 RCM

R1 RCM Inc., a provider of revenue cycle management services to hospitals, has recently reported a breach of the protected health information of 16,121 individuals. According to a breach notice sent to the Massachusetts Attorney General, R1 learned on November 23, 2023, that protected health information associated with Dignity Health’s St. Rose Dominican Hospital de Lima was in the possession of an unauthorized third party. The hospital’s network was not compromised in the incident.

A review was conducted to determine the data types that had been obtained, and on January 11, R1 determined that the information contained names, contact information, dates of birth, Social Security numbers, location of services, clinical and/ or diagnosis information, and patient account and/or medical record numbers. R1 has notified the affected individuals directly and has offered them 2 years of complimentary credit monitoring and identity theft protection services.

St. Mary’s Healthcare System for Children, Inc.

St. Mary’s Healthcare System for Children, Inc. in Bayside, NY, identified unauthorized activity within its computer network on or around November 9, 2023, and the forensic investigation confirmed that files were removed from its network the same day. A review of those files confirmed they contained the personal information of 5,650 individuals, including names and Social Security numbers. Individual notifications were mailed to the affected individuals on March 20, 2024, and 12 months of complimentary credit monitoring services have been offered. In a comment to The HIPAA Journal, a representative of St. Mary’s Healthcare System for Children stated that “Only 254 individuals were patients whose PHI may have been viewed, the remainder were employees, former employees and other individuals whose personal information (SSNs, not PHI) may have been viewed”.

Philips Respironics

Philips Respironics has recently reported a breach to the HHS’ Office for Civil Rights that involved the protected health information of 1,125 individuals. While the breach has recently been reported to OCR, it occurred on May 31, 2023, and involved the exploitation of a zero day vulnerability in Progress Software’s MOVEit Transfer software. Philips Respironics discovered the breach on June 5, 2023.

Two clients of Philips Respironics have recently confirmed that they have been affected: Forward Healthcare LLC and Rotech Healthcare. Forward Healthcare said it was notified by Philips Respironics on December 20, 2023, that there had been unauthorized access to the Care Orchestrator and Encore Anywhere software solutions via the MOVEit vulnerability, and personal and health information was potentially compromised. 3,999 Forward Healthcare patients were affected. Rotech Healthcare said it was notified about the incident on December 26, 2024, and was provided with a list of the affected patients. The compromised information included names, contact information, dates of birth, medical information related to the therapy delivered, and health insurance information. It is currently unclear how many Rotech patients have been affected.

California Correctional Health Care Services

California Correctional Health Care Services (CCHCS) has recently identified an impermissible disclosure of personal information. On or around February 26, 2024, a member of staff accidentally emailed an attachment to an unauthorized recipient. The attachment contained protected health information such as last names, CDCR numbers, medical information, risk/priority levels, order types/names, reasons for appointments, and dates of appointments.

CCHCS said the recipient of the email did not open or view the attached file and CCHCS received confirmation that the attachment has been deleted and was not shared with any other individual. The employee in question has been provided with additional privacy awareness and information security awareness training. It is currently unclear how many individuals have been affected.

The post R1 RCM Data Breach Impacts 16,000 Patients appeared first on HIPAA Journal.

Cyberattacks and data breaches have been reported by Valley Oaks Health and Sycamore Rehabilitation Services in Indiana, Plymouth Tube Company in Illinois, and Weirton Medical Center in West Virginia.

Valley Oaks Health, Indiana

Valley Oaks Health in Niles, IL, has recently notified 50,352 individuals about a breach of its network environment. Unauthorized individuals gained access to parts of its network between June 8, 2023, and June 13, 2023. Its network was secured, and third-party cybersecurity experts were engaged to assist with the investigation and confirmed that files containing patient data had been exposed and may have been stolen.

The forensic investigation and document review were completed on February 2, 2024. The breach notice sent to the Maine Attorney General has the specific types of compromised data redacted but the notice confirmed that names have been exposed along with Social Security numbers. Consumer notifications were mailed on March 18, 2024, and complimentary credit monitoring services have been offered to individuals whose Social Security numbers were exposed.

Weirton Medical Center, West Virginia

Weirton Medical Center in West Virginia identified suspicious activity within its computer network on January 18, 2024. Systems were immediately secured, and third-party cybersecurity experts were engaged to investigate the breach and determined there had been unauthorized access to the network between January 14, 2024, and January 18, 2024, and files were copied from its systems.

The information involved varied from individual to individual and may have included one or more of the following: name, Social Security number, date of birth, medical information, health insurance information, treatment information, and the balance due on medical bills. While files were confirmed as having been removed from the network, Weirton Medical Center is unaware of any misuse of patient data. Weirton Medical Center said strict security measures were already in place and they have been augmented to prevent similar incidents in the future. Notification letters were sent to the affected individuals on March 18, 2024. The incident has been reported to the HHS’ Office for Civil Rights as affecting 26,793 individuals.

Sycamore Rehabilitation Services, Indiana

Sycamore Rehabilitation Services, Inc. in Danville, IL, has reported a breach of its email system and the exposure of the personal data of 3,414 individuals. The breach was detected on September 21, 2023, with the forensic investigation confirming there had been unauthorized access to its network between July 29, 2023, and August 9, 2023. During that time, there may have been unauthorized access to names, dates of birth, Social Security numbers, driver’s license/state identification numbers, account numbers, routing numbers, medical information, and health insurance information. It was not possible to determine exactly what types of information were acquired in the attack.

Sycamore Rehabilitation Services said it had implemented security measures prior to the breach. Multi-factor authentication was enabled on all email accounts, a VPN was required for access to internal resources from outside the organization, critical patches were applied each month, email security solutions were in place, all endpoints were protected with Sentinel One anti-virus, Azure PowerShell access was off by default, and POP/IMAP was disabled by default. Those measures have now been augmented with Proofpoint email scanning and security, Breach Secure Now phishing testing, and DUO MFA on VPN accounts.

The affected individuals were notified by mail on March 1, 2024, and have been offered complimentary credit monitoring and identity theft protection services. Sycamore Rehabilitation Services said the delay in issuing notifications was due to the time taken to investigate the breach and identify the affected individuals.

Plymouth Tube Company, Illinois

Plymouth Tube Company in Warrenville, IL, has identified unauthorized access to its computer network. The forensic investigation confirmed that there was unauthorized access between January 27, 2024, and January 29, 2024, and during that time, the unauthorized actor accessed or acquired files on its servers which included files that contained employee benefit plan data.

The review of the affected files confirmed that 2,652 current and former employees and their dependents had been affected and had one or more of the following compromised: name, date of birth, Social Security number, driver’s license number, and plan information. The affected individuals were notified on March 13, 2024, and complimentary credit monitoring and identity theft protection services have been made available.

The post Valley Oaks Health Reports 50,000-Record Data Breach appeared first on HIPAA Journal.

Three mailing error incidents have resulted in the impermissible disclosure of the PHI of more than 10,000 Humana members. Data breaches have also recently occurred at KMJ Health Solutions, Jewish Home Lifecare, and Lake of the Woods County Social Services.

Insurance ACE/Humana Inc.

The Kentucky-based health insurance provider Humana Inc. has recently disclosed three separate mailing error incidents that have resulted in the impermissible disclosure of the protected health information of 10,688 of its members. On December 8, 2023, a programming error resulted in Explanation of Payment documents intended for providers being sent to an incorrect address. The documents included first and last names, Humana ID numbers, provider names, dates of service, and claim payment information.

On December 14, 2023, large print/braille health plan communications were mailed to incorrect recipients. An error was made when fixing an unrelated coding issue that added a date/time stamp to the naming convention, which was not a unique identifier. As a result, the system began overwriting files as duplicates, which resulted in members receiving another member’s letter. The information impermissibly disclosed included first and last names, addresses, Humana ID numbers, provider names, dates of service, claim payment information, prescription medication information, and copay and premium information.

On January 12, 2024, Humana’s printing vendor in Louisiana, Broadridge Output Solutions, Inc., experienced a printing error that caused explanation of benefits information of Humana members to be printed on the reverse of other members’ statements. The information impermissibly disclosed included names, claim information, provider name, gender, copay information, deductible and coinsurance information. Humana said all of the errors have been rectified and it is unaware of any misuse of members’ information.

KMJ Health Solutions

KMJ Health Solutions, a Michigan-based provider of online signout and charge capture systems, has reported a breach of the protected health information of 2,191 individuals. On November 19, 2023, KMJ Health Solutions identified unauthorized access to the server that hosts its eDocList system. The attacker used ransomware to encrypt files and may have obtained the data of some of its clients. The threat actor first gained access to the server on July 1, 2023. KMJ Health Solutions notified the affected clients on or around January 11, 2024.

One of the affected clients was Saint Joseph’s Medical Center in New York. The information potentially compromised included names, dates of birth, medical record numbers, diagnoses, laboratory results, dates of service, provider names, medications, and/or treatment information. Saint Joseph’s sent notifications to the affected individuals on March 4, 2024, and has confirmed that it no longer uses KNJ Health Solutions. When business associates experience data breaches, notifications may be issued by the business associate, their covered entity clients, or a combination of the two. It is therefore unclear at this stage how many individuals in total have been affected.

Jewish Home Lifecare

Jewish Home Lifecare, Inc., a New York senior health care system, identified unusual activity in its computer systems on January 7, 2023, and assisted by computer forensics experts, determined that there had been unauthorized access to its systems and the hackers potentially viewed or obtained patient data. The information exposed included names, addresses, dates of birth, Social Security numbers, payment card information, financial account information, passport numbers, medical record information, and medical treatment information. Jewish Home Lifecare has reported the incident to the HHS Office for Civil Rights as affecting 501 individuals. 501 is a placeholder often used to meet breach reporting requirements when the total number of affected individuals has yet to be confirmed.

Lake of the Woods County Social Services

Lake of the Woods County Social Services in Minnesota has reported a data breach that has affected individuals served by the County Social Services Department and their household members. On November 14, 2023, the County’s cybersecurity solutions detected and blocked a ransomware attack. While file encryption was prevented, the forensic investigation confirmed there was unauthorized access to its systems between November 14 and November 15, 2023, and data was stolen in the attack.

A ransom demand was received, but the County refused to pay to have the stolen data deleted, consistent with the advice of the FBI. Some of the stolen data was subsequently posted on the dark web. The information compromised in the attack included the following: Name, in combination with some or all of the following: address, date of birth, Social Security number, driver’s license number, financial account information, payment card information, information related to medical condition, treatment or diagnosis, medications, names of healthcare providers, information related to services individuals received from the County Social Services Department, such as locations of service, dates of service, client identification number or unique identifiers related to services provided to you, insurance identification number, and/or insurance information. For a limited number of individuals, the data included mental health reports and/or username(s) and password(s) used to access online accounts. The breach has been reported to the HHS’ Office for Civil Rights as affecting 537 individuals.

The post Humana Reports Mailing Errors Affecting More than 10,000 Members appeared first on HIPAA Journal.

Data breaches have recently been reported by Rebound Orthopedics & Neurosurgery, CCM Health, BlueCare Plus Tennessee, and Orsini Pharmaceutical Services.

Rebound Orthopedics & Neurosurgery

Rebound Orthopedics & Neurosurgery in Vancouver, WA, has recently announced that it fell victim to a cyberattack on February 2, 2024. The attack was detected on February 3 when its computer systems went offline, including its patient and scheduling portals, and the outage lasted for more than 2 weeks. Computer forensics specialists were engaged to investigate the incident and confirmed that an unknown and unauthorized actor had accessed its network and viewed or copied files that were stored on its systems. A detailed review has been conducted of those files which confirmed that they contained patient information although no evidence was found to indicate any information in those files has been misused.

It is currently unclear what information was involved, as that information was not present in the sample notice provided to the Montana Attorney General. The incident has yet to appear on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected. Rebound Orthopedics & Neurosurgery said additional security measures have been implemented to prevent similar incidents in the future and complimentary credit monitoring services have been offered to the affected individuals for 24 months.

CCM Health

CCM Health in Montevideo, MN, has recently notified 29,182 individuals about a network security incident that involved some of their personal and health information. In a March 12, 2024, breach notice, CCM Health explained that there had been unauthorized access to its network between April 3, 2023, and April 10, 2023, and an unauthorized third party may have accessed and removed files containing their sensitive information.

A comprehensive review was conducted of all files on the compromised parts of the network that confirmed they contained full names, date of birth, Social Security numbers, medical information, and health insurance information. The exposed health information included medical record numbers, patient account numbers, prescription information, healthcare provider names, medical diagnoses, diagnosis codes, treatment types, treatment locations, treatment dates, admission dates, discharge dates, and/or lab results.

The file review was completed on February 12, 2024, and notification letters have now been sent to the affected individuals. Single bureau credit monitoring/single bureau credit report/single bureau credit score services have been provided to the affected individuals at no charge

BlueCross BlueShield of Tennessee

BlueCross BlueShield of Tennessee, Inc. (BCBST) and Volunteer State Health Plan, Inc. which do business as BlueCare Plus Tennessee, have recently notified around 2,000 individuals about two security incidents that exposed their sensitive information.

BCBST said it identified suspicious login attempts to its member portal from outside the company on or around December 19, 2023. The attempts were made to log in using username and password combinations that came from an unknown source. The investigation found no evidence to suggest there had been a breach of BCBST systems, and it would appear that this was a credential stuffing attack, where username/password combinations that have been obtained in a third-party breach are used to try to log into accounts on other platforms.

The member portal was immediately disabled while the unauthorized activity was investigated, password security was enhanced, and third-party forensics experts were engaged to assist with the investigation. Between January 18 and January 24, 2024, BCBST learned that there had been a similar incident on August 7, 2023. The data potentially accessed in these two incidents included names, dates of birth, addresses, subscriber IDs, provider names, group numbers and names, plan information, medical information, claims information, and user IDs and passwords. For fewer than 1% of the affected individuals, financial information was also exposed. For individuals whose coverage ended more than two years ago the breached information only included IDs and passwords.

BCBST is implementing new login requirements and has notified the affected individuals and offered them identity monitoring services at no cost. They have also been asked to change their online account passwords when they sign in and to use a password that has not been used elsewhere. Two separate reports of data breaches have been logged by the HHS’ Office for Civil Rights that affected 1,251 and 790 individuals.

Orsini Pharmaceutical Services

Orsini Pharmaceutical Services in Illinois has recently discovered there has been unauthorized access to an employee’s email account. The breach was detected on January 10, 2024, and the investigation confirmed that a single email account was compromised between January 8 and January 10, 2024. The email account was reviewed to find out the types of information that had been exposed, which confirmed that the protected health information of 1,433 patients was present in the account, including names, addresses, dates of birth, medical record numbers, health insurance information, diagnoses, and/or prescription information.

Orsini Pharmaceutical Services did not find evidence to suggest that the attack was conducted to obtain patient data, but the possibility could not be ruled out. Additional safeguards and technical security measures have been put in place to further protect and monitor its systems, and the affected individuals have been notified and offered a complimentary 12-month membership to a credit monitoring service.

The post Data Breaches Reported by Rebound Orthopedics, CCM Health, BCBST & Orsini Pharmaceutical Services appeared first on HIPAA Journal.

On March 12, White House officials met with UnitedHealth Group, leaders at the Department of Health and Human Services, and industry groups to discuss the cyberattack at UHG-owned Change Healthcare, the disruption to healthcare services over the past 3 weeks, and mitigations to help patients and providers.

The Change Healthcare cyberattack was detected on February 21 – the timeline of events can be viewed here – and caused an outage that lasted for three weeks. The Blackcat ransomware group claimed responsibility for the attack. The attack caused massive disruption with providers unable to verify coverage, submit prior authorization requests, exchange clinical records, and be reimbursed for services.

UHG set up a financial assistance program to help providers who receive payments processed by Change Healthcare, who could apply for temporary funding through Optum Financial Services, and the Centers for Medicare and Medicaid Services (CMS) introduced flexibilities to help ease the financial strain on providers, including applications for advanced payment. Last week, 2 weeks after the attack, UHG was finally able to provide a timeline for bringing systems back online and this week confirmed that 99% of pharmacy and payment systems are now online.

The meeting was led by HHS Secretary Xavier Becerra and Deputy Secretary Andrea Palm, who were joined by White House Domestic Policy Advisor Neera Tanden, White House Deputy National Security Advisor (DNSA) for Cyber and Emerging Technologies Anne Neuberger, and others from the federal government. At the meeting, concrete actions were discussed to mitigate the harm caused to patients and providers.

Secretary Becerra and Domestic Policy Advisor Tanden stressed that the government and public sector must work together to help providers, many of whom are struggling to make payroll and deliver timely care to patients. They also stressed that insurers needed to help providers who are facing financial difficulties. During the meeting, industry groups discussed the problems faced by providers, the gaps in the response from payers, and how providers desperately need more immediate payment options, direct communications, and relaxed billing and claims processing requirements.

Payers were asked to provide assistance and committed to continued coordination. They also explained that they are working on further steps to reduce red tape, provide accessible funding opportunities through advanced payments, and other measures to address the cash flow issues that providers are experiencing. White House officials said they would be following up on the commitments made by payers at the meeting.

The interconnectedness of healthcare means a cyberattack on one entity can have far-reaching consequences, and with Change Healthcare processing 15 billion transactions annually and its systems touching the data of 1 in 3 patients in America, the fallout from the cyberattack has been immense. At the meeting, DNSA Neuberger stressed the urgent need to strengthen cybersecurity resilience across the sector, and the importance of all organizations implementing the HHS’s voluntary HPH Cybersecurity Performance Goals.  A readout of the meeting is available on the HHS website.

The post White House Meets with Healthcare Community to Discuss Change Healthcare Ransomware Attack Mitigations appeared first on HIPAA Journal.

Data breaches have recently been reported by UC San Diego Health, Littleton Regional Healthcare, UT Southwestern Medical Center, and the Texas Health and Human Services Commission

UC San Diego Health Discloses January Phishing Attack

UC San Diego Health has recently notified the California Attorney General about a phishing attack that was discovered on January 9, 2024, which exposed the sensitive data of patients. Two Hillcrest Medical Center employees responded to the phishing emails and disclosed their credentials, which allowed their email accounts to be accessed by unauthorized individuals. UC San Diego Health said the email accounts were accessed for brief periods between January 9, 2024, and January 22, 2024.

A review of the exposed emails and attachments was completed on February 26, 2024, and confirmed that they contained patients’ protected health information such as names, Social Security numbers, and one or more of the following: mailing address; email address; date of birth; medical record number; health insurance information; treatment cost information; and/or clinical information, such as medications, provider name or diagnosis.

UC San Diego Health said it is enhancing its security controls and will continue to provide phishing prevention training and education to its employees. The affected individuals are being notified and are being offered complimentary credit monitoring and identity theft protection services.  It is currently unclear how many individuals have been affected.

Littleton Regional Healthcare Reports Email Error and the Impermissible Disclosure of Patient Information

Littleton Regional Healthcare in New Hampshire has recently reported a breach of the protected health information of 12,614 individuals. On January 2, 2024, an employee sent an email containing the names and dates of birth of patients to an individual who was not authorized to receive the information. That individual contacted Littleton Regional Healthcare the same day to report the error and confirmed that the information in the email had not been disclosed to anyone else and that the email had been deleted. Littleton Regional Healthcare has notified the affected individuals, reviewed appropriate policies and procedures, and has provided further training to employees to reduce the likelihood of similar errors in the future.

Texas Health and Human Services Commission Breach Affects More Than 3,300 Patients

The Texas Health and Human Services Commission (HHSC) has discovered an impermissible disclosure of the personal information of 3,392 individuals. On January 11, 2024, a member of staff emailed spreadsheets containing sensitive information to a personal email account. The spreadsheets contained the personal information of people who live in or around Tyler, Texarkana, Longview, Marshall, Beaumont, and Nacogdoches, and included full names, addresses, telephone numbers, financial information, health information, Medicaid numbers, and Social Security numbers. The spreadsheets were sent in several emails between September 2023 and October 2023.

The investigation into the breach concluded on February 2, 2024, and notification letters have now been mailed to the affected individuals, who have been offered 12 months of free credit monitoring services. HHSC said it has found no evidence to suggest that the spreadsheets have been shared with any other individuals or that the information has been misused. Additional training has been provided to the workforce to remind staff members of the importance of protecting confidential information.

UT Southwestern Medical Center Reports Software-Related Data Breach

UT Southwestern Medical Center has recently reported a breach to the Texas Attorney General that involved the protected health information of 2,094 individuals. Little information about the data breach has been disclosed at this stage, but the medical center has confirmed that the breach was not due to a cyberattack and was related to the internal use of unapproved software. The information that was involved included names, addresses, dates of birth, medical information, and health insurance information. UT Southwestern Medical Center individual notifications are currently being prepared and will be mailed shortly.

The post Patient Data Exposed in Phishing Attack on UC San Diego Health appeared first on HIPAA Journal.

Grace Lutheran Communities in Wisconsin, a provider of rehabilitation services, assisted living, independent living, and skilled nursing, has experienced a ransomware attack. The incident was detected on January 22, 2024, and while the investigation is ongoing, Grace Lutheran Communities has confirmed that patient data was stolen including names, addresses, Social Security numbers, and health insurance information.

On February 17, 2024, Grace Lutheran Communities discovered that a ransomware group – ALPHV/Blackcat – had published some of the stolen data on its data leak site. Grace Lutheran Communities said it is committed to ensuring the privacy and security of patient data and is enhancing network security to prevent similar attacks in the future. Grace Lutheran Communities has yet to confirm how many individuals have been affected.

Washington County Hospital and Nursing Home Falls Victim to Ransomware Attack

Washington County Hospital and Nursing Home has notified 31,125 individuals about a December cyberattack that may have resulted in an unauthorized third party accessing their sensitive information.  On December 24, 2023, network disruption occurred which prevented access to internal systems. A third-party cybersecurity firm was engaged to help secure its systems and conduct a forensic investigation, and evidence was found of unauthorized access to files containing patient data. Those files included tax forms and Social Security numbers (SSNs); however, no reports have been received of any actual or attempted identity theft or fraud as a result of the data breach.

Washington County Hospital and Nursing Home has augmented its security measures and is offering the affected individuals complimentary access to Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services.

Bay Area Anesthesia Patients Affected by Cyberattack on Business Associate

Bay Area Anesthesia in Clearwater, FL, has been affected by a data security incident at a former business associate, Bowden Barlow Law. The law firm identified suspicious activity within its network and the investigation confirmed that there had been unauthorized access by a third party between November 17, 2023, and December 1, 2023, and during that time, files were exfiltrated from its network that contained the protected health information of 15,196 individuals. Bay Area Anesthesia has notified the affected individuals and has offered them complimentary credit monitoring and identity theft protection services for 12 months.

Cardiothoracic and Vascular Surgeons Alerts Patients About December Data Breach

Cardiothoracic and Vascular Surgeons in Austin, TX, has confirmed that unauthorized individuals accessed its network between October 12, 2023, and October 13, 2023, and exfiltrated files containing patient data. A review of the affected files was completed on January 22, 2024, and confirmed that the protected health information of 2,345 individuals was present in those files, including names, driver’s licenses, and/or government-issued IDs. Notifications were issued to the individuals on February 16, 2024, and credit monitoring and identity theft protection services are being made available.

The post Grace Lutheran Communities Falls Victim of ALPHV/Blackcat Ransomware Attack appeared first on HIPAA Journal.

Egyptian Health Department (EHD) in Eldorado, IL, has recently announced a data breach affecting up to 100,000 patients. EHD suffered a cyberattack on December 21, 2023, and while the forensic investigation is still ongoing, evidence has been found that indicates folders on its network were accessed by an unauthorized individual. Those folders contained files that included patients’ protected health information and employee data.

The exposed patient data included names, dates of birth, medical information, and health insurance claims information. The exposed employee data included names, Social Security numbers, driver’s license numbers/ other government-issued IDs, financial account information, and/or insurance information. EHD is still investigating the incident to determine the potentially impacted employees and patients and will mail notifications when that process is completed.

EHD has taken several steps to improve security, including creating new domain controllers, moving the SMB network shares of the domain controllers to a dedicated virtual machine, conducting permission audits on shared folders, limiting Sharepoint Server to internal access only, installing Sentinel One and Huntress on all equipment, and implementing password protection on spreadsheets with PHI.

McKenzie County Healthcare System Announces Email Account Breach

McKenzie County Healthcare System in North Dakota has identified unauthorized access to an employee email account. The breach was detected on or around October 5, 2023, and the forensic investigation confirmed an unauthorized individual accessed a single email account between October 2 and October 5, 2023.

A review was conducted of all emails and attachments in the account, and it was confirmed that the protected health information of 21,000 patients had been exposed. The exposed data included names, addresses, medical information, and health insurance information. No evidence was found to indicate any of that information has been misused.

Forward Healthcare Impacted by MOVEit Hack at Business Associate

Forward Healthcare has confirmed that the protected health information of 3,999 patients was compromised in a cyberattack on its business associate, Philips Respironics. On December 20, 2023, Philips Respironics notified Forward Healthcare that data was compromised in a May 31, 2023, cyberattack that saw access gained to its Care Orchestrator and Encore Anywhere software solutions after a zero day vulnerability in the MOVEit Transfer solution was exploited. The data potentially stolen in the attack included names and personal and medical information.

Email Account Breached at Maryville Addiction Treatment Centers

Maryville Addiction Treatment Centers in New Jersey have started notifying 155,03 patients about a breach of an employee email account. The security breach was detected on or around August 22, 2023, and the forensic investigation revealed there had been unauthorized access to the account between August 21, 2023, to August 22, 2023.

The review of the account confirmed the following data was exposed: full names, Social Security numbers, medical treatment information, health insurance information, dates of birth, financial account information, and government identification. Maryville said there are no indications that any of the exposed information has been misused.

Cencora Confirms Recent Cyberattack Involved Data Exfiltration

The Fortune 500 pharmaceutical firm, Cencora, said in a filing with the Securities and Exchange Commission (SEC) that it has experienced an intrusion and data was exfiltrated from its network. Cencora said the attack did not have a material impact on its operations, but it is too early to tell whether the incident will have any material impact on its financial condition.

Cencora said it discovered unauthorized activity within its systems and took immediate action to contain the threat and reported the incident to law enforcement. Third-party cybersecurity experts have been engaged to assist with the investigation and data exfiltration was confirmed on February 21, 2024, but an announcement has yet to be made about the nature of the impacted data.

California Department of State Hospitals Alerts Patients About SSN Exposure

The State of California – Department of State Hospitals Atascadero (DSH-A) has started notifying certain patients about a security incident discovered on February 15, 2024, in which Leave and Activity Balance (LAB) reports were exposed. The reports were disseminated to DSH-A staff for use in timesheet approval and contained confidential information such as names and Social Security numbers. DSH has launched an investigation to determine if the reports have been improperly accessed and is in the process of arranging for complimentary identity theft protection services to be provided to the affected individuals.  At this stage, it is unclear how many individuals have been affected.

The post Egyptian Health Department Cyberattack Affects Up to 100,000 Individuals appeared first on HIPAA Journal.