Harrisburg Medical Center, which is part of the Southern Illinois Healthcare network, has recently started notifying 147,826 individuals that some of their personal and protected health information has been compromised. Notification letters about the Harrisburg Medical Center data breach started to be sent to the affected individuals on December 12, 2023; however, the cyberattack was detected a year previously on December 23, 2022.

According to the notification letter sent to the Maine Attorney General, Harrisburg Medical Center discovered and blocked the attack on December 23, 2022, and a third-party cybersecurity firm was engaged to conduct a forensic investigation to determine the nature and extent of the attack. The investigation confirmed that protected health information had been exposed between December 19, 2022, and December 23, 2023, and during that time, files were removed from its systems.

Harrisburg Medical Center said it conducted a review of the documents involved and confirmed on August 24, 2023 – 8 months after the attack was detected – that the files contained names and Social Security numbers, along with some or all of the following information: date of birth, diagnosis/conditions, lab results, and prescription information. Some individuals may also have had their health insurance information, driver’s license/state ID number, digital/electronic signature, and/or financial account number exposed or stolen. No explanation was given about why it took a further four months to issue individual notifications to the affected individuals.

Despite the data breach occurring in December 2022 and PHI being confirmed as involved on August 24, 2023, the incident is still not showing on the HHS’ Office for Civil Rights breach portal. The HIPAA Breach Notification Rule states that breaches must be reported within 60 months of discovery of the breach.

Unsurprisingly, given the length of time taken to notify the affected individuals and the lack of transparency, patients have been looking to take legal action over the breach and theft of their data. Several law firms have opened investigations with a view to filing class action lawsuits.

The post Harrisburg Medical Center Data Breach: PHI of 148,000 Individuals Compromised in 2022 appeared first on HIPAA Journal.

Pan-American Life Insurance Group MoveIT Data Breach

The Pan-American Life Insurance Group in Louisiana has confirmed that it was one of the victims of the mass hacking of a zero-day vulnerability in Progress Software’s MOVEit Transfer solution in late May 2023 by the Clop hacking group. Progress Software released a patch to fix the previously unknown vulnerability on May 31, 2023; however, by that time the Clop hacking group had already mass exploited the flaw to gain access MOVEit servers. More than 2,600 organizations worldwide are now known to have been affected and between 78 and 83 million individuals have had their data stolen in the attacks.

The Pan-American Life Insurance Group said it immediately stopped using the MOVEit Transfer tool for file transfers when it was notified about the vulnerability and hired a cybersecurity firm to determine if the flaw had been exploited. The investigation confirmed that files had indeed been stolen. A review of those files was initiated, and on October 5, 2023, it was confirmed that they contained personal and protected health information, including names, addresses, Social Security numbers, dates of birth, driver’s license numbers, contact information, medical and medical benefits information, subscriber numbers, certain biometric data, and financial account and credit card information.

The Pan-American Life Insurance Group has arranged for the affected individuals to be provided with 24 months of complimentary credit monitoring and identity theft protection services. The breach was reported to the HHS’ Office for Civil Rights in two separate breach reports that affected 105,387 and 94,807 individuals.

Dameron Hospital Investigating Cyberattack

Dameron Hospital in Stockton, CA, has confirmed that it recently suffered a cyberattack that has affected some of its network systems. The lack of critical systems has caused disruption and some procedures have been rescheduled until all systems are brought back online; however, a spokesperson for the hospital confirmed that its patient care operations and emergency department are continuing to function as normal. An investigation has been launched to determine the nature and scope of the incident and to whether any patient data has been exposed or stolen. Further information will be released as the investigation progresses.

Hunters International Claim Responsibility for Cyberattack on Covenant Care

Covenant Care, a provider of skilled nursing, residential care, and home healthcare in California and Nevada, appears to have experienced a cyberattack involving data theft. The Hunters International hacking group has added Covenant Care to its data leak site has been adding patient data to that site, indicating Covenant Care has refused to pay the ransom. Covenant Care has not confirmed whether the hacking group’s claims are genuine.

Covenant Care is no stranger to data breaches, having fallen victim to multiple phishing attacks in the past 5 years, including one in 2019 that affected 7,858 patients and another in 2022 that involved the PHI of 23,093 patients. In response to the 2019 attack, the HHS’ Office for Civil Rights issued technical assistance to help Covenant Care with its security management process.

The post Pan-American Life Insurance Group Data Breach Affects 200,000 Individuals appeared first on HIPAA Journal.