Proliance Surgeons, a Seattle, WA-based surgical group that has around 100 locations in Washington state, has notified 437,392 individuals that some of their protected health information may have been stolen in a ransomware attack earlier this year. The breach notice on the website of Proliance Surgeons states that a forensic investigation was conducted by third party cybersecurity experts which confirmed that some files had been removed from its network before files were encrypted.

On May 24, 2023, it was confirmed that files containing patients’ protected health information may have been accessed or acquired on February 11, 2023. At the time it was unclear exactly how many individuals had been affected. A comprehensive review was conducted of all files potentially accessed or acquired in the attack, which confirmed they contained names in combination with one or more of the following: date of birth, Social Security number, medical treatment information, health insurance information, phone number, email address, financial account number, driver license or other identification information, and usernames and passwords.

Proliance Surgeons said immediate action was taken to protect patients’ private information and cybersecurity protocols have since been enhanced. There is no mention of credit monitoring or identity theft protection services. At least one lawsuit has already been filed against Proliance Surgeons in response to the breach.

Medical College of Wisconsin Says 240,000 Individuals Affected by MOVEIt Transfer Hack

The Medical College of Wisconsin (MCW) has confirmed that the protected health information of 240,667 individuals was stolen by the Clop hacking group, which exploited a zero day vulnerability in Progress Software’s MOVEit Transfer solution.  MCW was contacted on May 31 by Progress Software and implemented the patch and recommended mitigation measures but discovered the vulnerability had already been exploited on or around May 27, 2023.

The forensic investigation and document review was completed on or around September 21, 2023, and confirmed that the stolen data included full names, dates of birth, Social Security numbers, driver’s license/government identification numbers, financial account information, medical record/patient account number(s), medical diagnosis/treatment information, medical provider name(s), lab results, prescription information, and health insurance information.

Notification letters started to be mailed to the affected individuals on November 14, 2023. Individuals who had their Social Security numbers stolen have been offered complimentary credit monitoring and identity theft protection services.

Data Stolen in Ransomware Attack on Rock County, Wisconsin

Legal Counsel for Rock County in Wisconsin has issued notification letters about a cyberattack and data breach that affected 25,823 individuals. According to the notification letters, suspicious activity was detected within its computer systems on or around September 29, 2023. The forensic investigation confirmed that unauthorized individuals had access to its network between September 22, 2023, to September 30, 2023, and during that time, acquired certain files from its network.

A review of the affected files was initiated to determine the individuals affected and the types of data stolen in the attack. That review is ongoing, but it has been confirmed that the data impacted included names and Social Security numbers. Complimentary credit monitoring services have been offered to the affected individuals.

The nature of the attack was not disclosed, other than the attack involving data theft. The HIPAA Journal has confirmed that this was a ransomware attack by the Cuba ransomware group, which has listed Rock County on its data leak site. Victims are therefore strongly advised to take advantage of the credit monitoring services being offered.

The post Almost 440,000 Individuals Affected by Cyberattack on Proliance Surgeons appeared first on HIPAA Journal.

The State of Maine has confirmed that the protected health information of 453,894 individuals was stolen in the recent mass hacking of a zero-day vulnerability in Progress Software’s MoveIT Transfer solution. Progress Software released a patch to fix the vulnerability on May 31, 2023; however, the vulnerability had already been exploited. The State of Maine’s investigation confirmed that the vulnerability had been exploited between May 28, 2023, and May 29, 2023, and sensitive data had been stolen by the Clop hacking group.

The breach was limited to its MOVEit server, and no other systems were compromised. The Clop hacking group claimed they were only interested in hacking businesses and said they would delete all data stolen from governments; however, the State of Maine is urging all affected individuals to ignore those claims and take steps to protect themselves against fraud. The individuals affected may have been Maine residents, employees, or could have received services from or interacted with a state agency. Maine also participates in data sharing agreements with other organizations to enhance the services it offers to residents and the public.

The data exposed would depend on the interactions with state agencies. All affected individuals who had their Social Security numbers or taxpayer identification numbers stolen have been offered two years of complimentary credit monitoring and identity protection services.

Affinity Legacy Inc. Affected by MOVEit Hack

Affinity Legacy Inc., formerly known as Affinity Health Plan, Inc., has confirmed that it was affected by the recent MOVEit Transfer hacks. The breach occurred at one of its business associates, which provided claims processing services, and used the software solution for file transfers.

The vulnerability was exploited between May 30 and June 2, 2023, and on June 21, 2023, the vendor determined that certain files had been downloaded by the attackers that contained the protected health information of 5,538 individuals who were either Affinity Health Plan members prior to 2019, or EmblemHealth Medicare Advantage Plan members after 2019. The stolen data included names, mailing addresses, dates of birth, Social Security numbers, Medicare numbers and/or medical diagnosis codes. Complimentary personal identity and privacy protection services have been offered to the affected individuals.

The Charles Lea Center Suffers Ransomware Attack

The Charles Lea Center, a non-profit organization in Spartanburg County, SC, has recently notified 1,250 individuals that some of their personal information was compromised in a June 2023 ransomware attack. The incident was detected on June 19, 2023, when a portion of its network was encrypted. A ransom demand was issued, and the threat actor claimed to have exfiltrated a limited number of files from its systems.

While the forensic investigation could not determine the specific types of information that had been compromised, the file review confirmed on October 2, 2023, that the exposed files contained names, Social Security numbers, dates of birth, and some medical treatment information. The Charles Lea Center has offered the affected individuals complimentary credit monitoring services and has advised them to monitor their financial account statements regularly for signs of fraud. The Charles Lea Center said it had taken steps to ensure the privacy of data before the attack and will be augmenting those measures to further enhance security.

Detroit Chassis Health Plan Member Data Exposed

Detroit Chassis in Michigan, a provider of niche vehicle manufacturing solutions, was the victim of a sophisticated cyberattack that occurred on or around March 12, 2023. When the attack was detected, immediate action was taken to secure its systems and third-party cybersecurity experts were engaged to investigate. The investigation confirmed that the attackers had access to parts of its network that contained the data of 958 members of its health plan which was stored on an email server that was in the process of being decommissioned.

Detroit Chassis said, “While we believe there is a reasonable basis to conclude this information was not subject to unauthorized acquisition, we were unable to rule it out.” The server contained information such as names, addresses, dates of birth, Social Security numbers, driver’s licenses, financial account information, passport numbers, credit card numbers, state identification numbers, usernames and access information for non-financial accounts, medical information, health insurance numbers and information related to its employee prescription benefits plan.

Medical Records Stolen in Lakeview Healthcare System Break-in

Lakeview Healthcare System, a central Florida health system, had a break-in at its Fern Drive location in Leesburg on September 29, 2023.  The break-in occurred around 5 a.m. and the intruder stole three password-protected mobile devices and medical records that contained the protected health information of patients. The paper records included information such as names, addresses, diagnosis and treatment information, and billing information.

Lakeview Healthcare System said it has engaged in extensive remediation efforts to minimize the risk of similar incidents in the future, has reviewed its security policies and procedures, and has re-educated the workforce on data security and secure document storage. Physical security measures are being assessed at each location, including using more shred bins, upgrading physical locks, and implementing additional access controls to allow for faster and more precise termination of access.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 2,495 individuals.

The post State of Maine Reports 450,000-Record Data Breach appeared first on HIPAA Journal.