ProSmile Holdings, LLC, a New Jersey dental service organization, started notifying patients on December 22, 2023, about a breach of its email environment. Suspicious activity was detected in July 2022, and a third-party cybersecurity company was engaged to investigate the unauthorized activity and determine if any sensitive data had been exposed or compromised. ProSmile Holdings was notified on December 1, 2022, that numerous email accounts had been compromised and accessed without authorization, and personal and protected health information may have been accessed or acquired.

On January 27, 2023, ProSmile Holdings engaged a vendor to conduct a review of the affected files, and the review was completed on November 29, 2023. The compromised information included names, dates of birth, Social Security numbers, driver’s license or other state identification card numbers, financial account numbers, payment card numbers, medical treatment information, diagnosis or clinical information, provider information, prescription information, and health insurance information.

ProSmile Holdings made an announcement about the data breach on March 28, 2023, but was unable to confirm at that time how many individuals had been affected or what data had been exposed. The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

It is also unclear why it took 5 months to discover that patient data was involved, a further two months to initiate a document review, and 10 months to complete that review. The first announcement about the breach was not made for 7 months, and it has taken 17 months for individual notifications to be issued.

Valley Health System Affected by Data Breach at ESO Solutions

Valley Health System in Las Vegas has confirmed that it was affected by a ransomware attack and data breach at its software vendor, ESO Solutions, in late September. ESO notified Valley Health System about the breach in late October and confirmed that patient names, phone numbers, addresses, and some personal or health information were compromised. The breach has affected 5 Valley Health System hospitals: Centennial Hills Hospital, Desert Springs Hospital, Spring Valley Hospital, Summerlin Hospital, and Valley Hospital. The affected individuals were notified about the breach on December 12, 2023.

The post ProSmile Holdings Notifies Patients About July 2022 Data Breach appeared first on HIPAA Journal.

Pan-American Life Insurance Group, Inc. (PALIG) has recently confirmed that it was one of the victims of the Clop hacking group, which exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution in late May 2023.

PALIG was notified about the vulnerability by Progress Software and immediately disabled to software until the patch could be applied. The patch was applied, and steps were taken to improve the security of its systems. At the same time, an investigation was launched to determine if the vulnerability had been exploited, and that proved to be the case. On October 5, 2023, PALIG determined that files had been removed from the MOVEit server that contained the protected health information of 105,387 individuals, including names, addresses, Social Security numbers, dates of birth, driver’s license numbers, contact information, medical and medical benefits information, subscriber numbers, certain biometric data, and financial account and credit card information.

PALIG has now notified those individuals and has offered complimentary credit monitoring services. PALIG has also confirmed that steps have been taken to further improve security and ensure the security of third-party transfer tools.

Bellin Health Notifies Patients About October Cyberattack

Bellin Health has recently announced that an unauthorized third party gained access to its internal systems and may have viewed or acquired the information of patients who purchased home care equipment between 2006 and 2013. Unauthorized activity was detected within its computer systems on October 27, 2023. Its IT security team immediately took steps to contain the activity and launched an investigation to determine the nature and scope of the unauthorized activity.

Assisted by third-party cybersecurity experts, Bellin Health determined that a cyber actor gained access to a folder containing archived scanned documents that contained patient names in combination with one or more of the following: address, phone number, date of birth, and/or health information related to home care equipment. A limited number of documents also included Social Security numbers.

Bellin Health said it has strengthened system security and will continue investing in cybersecurity. The breach was reported to the HHS’ Office for Civil Rights as affecting 20,790 individuals. Patients whose Social Security numbers were exposed have been offered complimentary credit monitoring and identity theft protection services.

Clay County, Minnesota Suffered a Ransomware Attack in October

Clay County in Minnesota announced on December 22, 2023, that it fell victim to a ransomware attack in October. The unauthorized activity was detected in its electronic document management system on October 27, 2023, and the forensic investigation revealed there had been unauthorized access between October 23, 2023, and October 26, 2023, when ransomware was used to encrypt files.

The investigation confirmed that access had been gained to names in combination with one or more of the following: address, date of birth, Social Security number, information regarding services provided by Clay County Social Services (locations of service, dates of service, client identification number or unique identifier), insurance identification number, and insurance or billing information.

Clay County officials confirmed that they have taken several steps to improve security, including implementing multifactor authentication for remote access to the compromised CaseWorks application, updating procedures for external access by vendors, implementing tools to enhance detection and accelerate the response to cyber incidents, and implementing enhanced technical security measures for the CaseWorks application.

The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Pan-American Life Insurance Group Reports 105,000-Record Data Breach appeared first on HIPAA Journal.

Almost 456,000 individuals have been affected by a Retina Group of Washington data breach and have started receiving notifications, 9 months after the breach occurred.

On December 22, 2023, Retina Group of Washington, PLLC, filed a breach report with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that involved the protected health information of 455,935 individuals. Notification letters started to be mailed the same day.

According to the notification letters, Retina Group of Washington started experiencing difficulty accessing information on some of its systems on March 26, 2023. An investigation was launched, and the Federal Bureau of Investigation (FBI) was notified, and it was determined that the file access problems were due to a cyberattack.

Retina Group of Washington did not state the cause of the cyberattack but the wording of the letters suggests this was a ransomware attack. In the notification letters, Retina Group of Washington said the investigation into the cyberattack is still ongoing, but it has been confirmed that patient data was stolen in the attack.

The types of information involved include names, addresses, telephone numbers, email addresses, dates of birth, demographic information, Social Security numbers, Driver’s license numbers, medical record numbers, health information, payment information, and health insurance information.

Retina Group of Washington said it has not identified any attempted or actual misuse of patient data and will continue to implement additional procedures and security measures to strengthen the security of its systems.

Based on the breach notifications, it does not appear that credit monitoring and identity theft protection services are being offered. Affected patients have been told to “remain vigilant against incidents of identity theft and fraud, to review their account and explanation of benefits statements, and to monitor their free credit reports for suspicious activity and to detect errors.” Retina Group of Washington also suggests placing a credit freeze on accounts.

The post Retina Group of Washington Data Breach Affects 456,000 Patients appeared first on HIPAA Journal.