Ascension Notifying Patients About Data Breach at Former Business Partner

Posted by Steve Alder

Ascension in St. Louis, Missouri, has started notifying certain patients about a security incident at one of its former business partners. Ascension learned on December 5, 2024, that the business partner had experienced a hacking incident. An investigation was launched, and it was determined on January 21, 2025, that Ascension had inadvertently disclosed patient data to the former business partner, and that data had likely been stolen in the hacking incident. Ascension confirmed that its own systems were unaffected.

A hacker was able to exploit a vulnerability in third-party software to gain access to data held by the former business partner. The data review confirmed that the information likely stolen in the incident included names, addresses, phone numbers, dates of birth, email addresses, race/gender, Social Security numbers, medical record numbers, insurance company names, and clinical information related to inpatient visits, which may have included, service locations, physicians’ names, discharge dates, and diagnosis and billing codes.

Ascension said it has reviewed its policies, procedures, and processes and will implement enhanced safeguards to prevent similar incidents in the future. The affected individuals had previously received services at Ascension facilities in Alabama, Michigan, Indiana, Tennessee, and Texas. Individual notifications are being mailed, and the affected individuals have been offered two years of complimentary credit monitoring and identity theft protection services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Carolina Anesthesiology Database Containing 21,344 Records Exposed Online

A database containing the personally identifiable and protected health information of 21,344 patients has been exposed online. The database was found by security researcher Jeremiah Fowler, who analyzed a sample of the data and confirmed it contained information such as names, addresses, phone numbers, health insurance information, emergency contact information, diagnoses, case summaries, medications, vital statistics, family and patient medical histories, antitheology summaries, and physicians’ notes. The database also contained software billing and compliance reports belonging to a medical software company.

Fowler notified the medical software company about the exposed database, which identified the database owner, and notified them. The database was secured the same day. It is unclear for how long the database was exposed and if it was accessed by any other individuals. Fowler also identified files related to Atrium Health and contacted them about the data breach. Atrium Health confirmed that an investigation had been initiated and, via databreaches.net, that the database belonged to Carolina Anesthesiology. Atrium Health said it immediately shut down its data feeds to Carolina Anesthesiology while the database was secured and the incident was investigated. Carolina Anesthesiology is located in High Point, North Carolina, and provides anesthesiology services to High Point Regional Health System and Atrium Health.

The post Ascension Notifying Patients About Data Breach at Former Business Partner appeared first on The HIPAA Journal.

AllCare Plus Pharmacy Settles Class Action Data Breach Lawsuit

Posted by Steve Alder

A settlement has been agreed to resolve litigation stemming from a 2022 data breach at AllCare Plus Pharmacy. The Northborough, MA-based pharmacy detected the security incident on June 21, 2022, when suspicious activity was identified in an employee’s email account.

The investigation confirmed that hackers gained access to the email account after the employee responded to a phishing email. The review of the account confirmed it contained names, addresses, birth dates, Social Security numbers, driver’s license and other ID numbers, financial information, and limited health and health insurance information related to treatment and prescriptions. The breach was reported to the Maine Attorney General as affecting 5,971 individuals.

A lawsuit – Celeste Brown, et al. v. AllCare Plus Pharmacy LLC – was filed in the Suffolk County Superior Court of the Commonwealth of Massachusetts over the data breach, claiming the data breach occurred due to the failure to implement appropriate cybersecurity measures and follow industry standard security best practices.

According to the lawsuit, had those measures been implemented, the data breach could have been prevented. AllCare Plus Pharmacy maintains that there was no wrongdoing and that it had meritorious defenses in place; however, the pharmacy chose to settle the litigation to prevent further legal costs and to avoid the risks and uncertainty associated with continuing to fight the litigation.

Under the terms of the settlement, individuals who were notified that their data was compromised may submit claims for reimbursement of documented out-of-pocket losses. Claims may be submitted for ordinary losses up to a maximum of $750 per class member, which can include communication costs, credit monitoring costs, attorneys’ fees, accountants’ fees, and miscellaneous expenses.

Claims may also be submitted for extraordinary losses, such as losses due to identity theft and fraud, up to a maximum of $5,000 per class member. Class members may also claim up to five hours of lost time dealing with the consequences of the data breach at $20 per hour. Class members have been offered two years of complimentary credit monitoring and identity theft protection services. Class members who do not wish to submit a claim or receive credit monitoring services may choose to receive a cash payment of $50.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for August 27, 2025. The deadline for exclusion from the settlement, objection to the settlement, and submitting claims is July 3, 2025. AllCare Plus Pharmacy said it has made security changes since the incident and will continue to review and update those security measures.

The post AllCare Plus Pharmacy Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.