California Physicians’ Service, which does business as Blue Shield of California, has confirmed that it has been affected by the mass exploitation of a vulnerability in Progress Software’s MOVEit Transfer file transfer solution. The breach has been reported to the HHS’ Office for Civil Rights in two separate breach reports, one involving the data of 636,848 Blue Shield of California plan members and another that has affected 26,523 Blue Shield of California or Blue Shield of California Promise Health Plan members.

The breach occurred at an unnamed vendor of Blue Shield of California that managed vision benefits. The vendor used the MOVEit Transfer solution to transfer large files as part of its contracted duties. A zero-day vulnerability in the MOVEIt Transfer solution was exploited between May 28, and May 31, 2023, and files were exfiltrated that included members’ names, birthdates, addresses, subscriber ID numbers, subscribers’ names, birthdates, Social Security numbers, group ID numbers, vision providers’ names, patient ID numbers, vision claims numbers, vision-related treatment and diagnosis information, and vision-related treatment cost information. The Clop hacking group claimed responsibility for the hacks.

Blue Shield of California said its own systems were not compromised. The breach was limited to the MOVEit Transfer server. Credit monitoring and identity restoration services have been offered to the affected individuals.

Wyoming County Community Health System Confirms March 2023 Cyberattack

Wyoming County Community Health System in Warsaw, NY, has experienced a cybersecurity incident that has caused network disruption. The security breach was detected on March 28, 2023, and the subsequent forensic investigation determined that files had been exposed on that date and may have been accessed or acquired by unauthorized individuals. A review was then conducted of the files to determine the individuals and types of data involved, and that process was completed on November 8, 2023. The review confirmed up to 26,000 individuals had been affected and had some or all of the following information exposed: name, Social Security number, driver’s license/state identification number, date of birth, biometric data, medical information, health insurance information, and account number.

Notification letters were sent to the affected individuals on November 16, 2023. Wyoming County Community Health System said it has implemented additional measures to enhance network security and minimize the risk of a similar incident occurring in the future.

Westside Community Services Confirms Cyberattack and Data Theft

The San Francisco, CA-based social services organization, Westside Community Services, has notified 2,484 individuals about a security breach involving unauthorized access to its network between April 25, 2023, and May 1, 2023. Third-party cybersecurity professionals were engaged to conduct a forensic investigation and confirmed that files had been exfiltrated from its network. The document review was completed on October 16, 2023.

The stolen files included full names along with one or more of the following: Social Security numbers, dates of birth, driver’s license numbers or state identification numbers, passport numbers, other government identification numbers, financial account information, credit or debit card information, usernames and passwords associated with one or more online accounts, medical information (date of service, provider name, medical record number, patient number, medical history, surgical information, medication, and/or treatment information), and/or health insurance policy information. Westside Community Services said it continually evaluates and modifies its practices and internal controls to enhance the security and privacy of personal information and will continue to do so.

Unauthorized Email Access Reported by Molina Healthcare of Iowa

Molina Healthcare of Iowa, Inc. says it discovered on November 22, 2023, that there had been unauthorized access to an employee email account between September 25 and 26, 2023. It was not possible to determine if any information in the email account was copied, but the review of the emails confirmed that they contained the protected health information of 1,647 Medicaid recipients. Those individuals have been notified about the breach by mail. Molina Healthcare of Iowa said the breach did not affect any members covered by other managed care organizations.

This is the third incident to affect Molina Healthcare of Iowa members this year. On May 31, 2023, Amerigroup inadvertently disclosed personal health information for 833 Iowa Medicaid members to 20 providers in explanation of payment notices; and on May 26, 2023, a Medicaid contractor confirmed there had been unauthorized access to its systems on March 6, 2023, which affected 233,000 Medicaid members.

Robeson Health Care Corporation Updates Data Breach Notice

Robeson Health Care Corporation has provided an update on a breach that was previously reported to the Maine Attorney General as affecting 15,045 individuals. The investigation has confirmed that a further 62,627 individuals have been affected. The incident has been previously covered by The HIPAA Journal in this post.

The post Hundreds of Thousands of Blue Shield of California Members Affected by MOVEit Hack appeared first on HIPAA Journal.