Security breaches have been reported by the Center for Urban Community Services in New York, Riverview Health in Indiana, and Smile Design Management in Florida.

The Center for Urban Community Services, New York

The Center for Urban Community Services, a New York social services organization, has notified 38,000 individuals about a network intrusion that occurred between September 4, 2023, and September 9, 2023. The intrusion was detected on September 9, 2023, and an investigation was launched, but data acquisition was not confirmed at the time. Center for Urban Community Services has now confirmed sensitive data was exfiltrated in the incident. The types of information involved varied from individual to individual and may have included names, addresses, telephone numbers, dates of birth, Social Security numbers, benefit identification numbers, health information, and prescription information. The Center for Urban Community Services is unaware of any misuse of the affected information.

Riverview Health, Indiana

Riverview Health in Noblesville, IN has discovered unauthorized access to an employee’s email account. An unidentified third party had access to the account for less than an hour on August 23, 2024, before the intrusion was detected by its security software and access to the account was blocked. The investigation confirmed that a single email account had been compromised after an employee was tricked by a social engineering scam. The window of opportunity for viewing and copying sensitive information in the account was short but it is possible that electronic files in the account may have been compromised. The files were reviewed and confirmed to contain patients’ protected health information such as name, sex, date of birth, medical record number, admission date(s), and medical information such as diagnosis.

Since social security numbers, financial information, bank account numbers, and health insurance information were not compromised, Riverview Health believes the risk of misuse of patient data is low. Riverview Health is reviewing its policies around phishing and social engineering and is evaluating methods and procedures for improving electronic access and controls. Notification letters were mailed to the affected individuals on October 24, 2024. The HHS’ Office for Civil Rights portal indicates that 1,562 individuals were affected.

Smile Design Management, Florida

Smile Design Management, a Tampa, FL-based operator of 50 dental care facilities in Florida, has discovered unauthorized access to files on its network. The breach was detected on February 22, 2024, when unusual network activity related to a third-party software solution was detected.

Third-party cybersecurity specialists were engaged to investigate the activity and confirmed unauthorized access to its network between February 22, 2024, and February 23, 2024. The review of the affected files was completed on August 15, 2024, and after verifying contact information, notification letters were sent to the affected individuals, who have been offered complimentary credit monitoring and identity theft protection services. The substitute breach notice does not state the types of information compromised in the incident.

Smile Design Management said it has implemented additional technical safeguards to prevent similar breaches in the future. The breach was reported to the HHS’ Office for Civil Rights on October 10, 2024, as involving the protected health information of 500 individuals.

The post 38,000 Individuals Affected by Center for Urban Community Services Cyberattack appeared first on The HIPAA Journal.

Long Island Plastic Surgical Group, a network of 13 plastic surgery practices in New York, has confirmed to the HHS’ Office for Civil Rights that the protected health information of 161,707 individuals was compromised in a hacking incident earlier this year.

According to its substitute breach notice, external cybersecurity professionals were engaged to investigate the incident and confirmed that a network intrusion occurred between January 4, 2024, and January 8, 2024, involving the exfiltration of a limited amount of patient data. The file review was completed on September 15, 2024, and confirmed that full names had been stolen in combination with some or all of the following: date of birth, Social Security number, driver’s license number/state identification number, passport number, financial account information, medical information, biometric information, health insurance policy information, and clinical photographs.

Long Island Plastic Surgical Group said it is unaware of any improper use of the affected information as a direct result of the incident; however, as a precaution, individuals whose Social Security numbers were involved have been offered complimentary credit monitoring services. Long Island Plastic Surgical Group said it had implemented many safeguards to protect patient data and will continue to evaluate and modify its internal controls to further enhance security.

Long Island Plastic Surgical Group did not state in its notification letter whether this was a ransomware attack; however, the Radar threat group claimed responsibility. In a conversation with databreaches.net, a spokesperson for the group said the attack was conducted in conjunction with the ALPHV threat group, where ALPHV handled the intrusion and Radar handled the data exfiltration. Radar claimed that ALPHV was paid a ransom but Radar was not given its cut of the ransom payment. Radar subsequently issued its own ransom demand to prevent the publication of the stolen data; however, the ransom was not paid. The Federal Bureau of Investigation (FBI) has now seized the Radar data leak site.

Dr. Daniel J. Leeman, M.D.

Dr. Daniel J. Leeman, M.D., a Texas-based board-certified plastic surgeon and ENT specialist, has reported a hacking-related data breach to the HHS’ Office for Civil Rights that involved the protected health information of 50,000 patients. This appears to have been a cyberattack on his practice rather than through a business associate. Dr. Leeman filed a breach notice with the Texas Attorney General on September 4, 2024, confirming names, addresses, dates of birth, Social Security numbers, driver’s license numbers, government-issued ID numbers (such as passport numbers or state IDs), financial information (such as account numbers, credit/debit card numbers), medical information, and health insurance information were involved. The affected individuals have now been notified by mail.

Clay Platte Family Medicine – Barry Pointe Family Medicine Clinic – Summit Family and Sports Medicine Clinic – Cobblestone Family Medicine Clinic

The protected health information of patients of Clay Platte Family Medicine and Barry Pointe Family Medicine Clinic in Kansas City, MO; Summit Family and Sports Medicine Clinic in Summit, MO; and Cobblestone Family Medicine Clinic in Liberty, MO was compromised in a June 2024 data security incident. Suspicious network activity was detected on June 26, 2024, and immediate action was taken to secure its network. A cybersecurity firm was engaged to investigate the activity and confirmed that an unauthorized third party had access to the network and potentially viewed or acquired files containing patient information.

On September 10, 2024, the affected clinics confirmed names, addresses, Social Security numbers, dates of birth, and health insurance information were involved. Individual notifications were mailed on October 16, 2024, and complimentary credit monitoring and identity theft protection services have been made available. The breach was reported to the Maine Attorney General as involving the personal information of 53,916 individuals, including 4 Maine residents. The clinics said they are reviewing and enhancing their data security policies and procedures to prevent similar breaches in the future.

Wellfleet Group, LLC

Wellfleet Group, a Massachusetts-based third-party administrator for Wellfleet Insurance Company and Wellfleet New York Insurance Company that provides health insurance solutions and services to students at post-secondary education institutions, is notifying 22,959 individuals that some of their protected health information has been compromised.

Wellfleet Group learned on August 1, 2024, that student medical referral information could be accessed online via search engines and launched an investigation to determine the cause and extent of the data exposure. The investigation revealed a previously unknown misconfiguration on its website “allowed deep-links to the medical referral print page of users to be accessible without authentication.” Search engine web crawlers scraped the referrals and indexed them, allowing them to be found by performing Internet searches using the students’ names.

Wellfleet Group corrected the misconfiguration and worked to have the indexed referrals removed from the Internet. A review was also conducted to identify any further misconfigurations on its website, data security controls for the website were reset, and its standards for review and technical support of applications and software development processes have been updated to prevent similar incidents in the future.

The affected individuals were students participating in their educational institution’s student health plan and the compromised information included their full name, address, phone number, date of birth, insurance group/policy number, school ID number, and health/medical information such as the reason for referral and diagnosis code. The affected individuals have been offered complimentary credit monitoring services.

The post Long Island Plastic Surgical Group Confirms 161K-Record Data Breach appeared first on The HIPAA Journal.