A round-up of healthcare data breaches that have recently been reported to the HHS’ Office for Civil Rights and State Attorneys General.

PHI Compromised in Cyberattack on Regional Family Medicine

Regional Family Medicine in Mountain Home, AR, has recently notified the Maine Attorney General about a data breach that involved the personal and protected health information of 80,166 individuals. An IT outage was experienced on June 26, 2023, which prevented access to certain local systems. Third-party cybersecurity experts were engaged to investigate the incident and confirmed there had been unauthorized access to its network between June 8 and June 26, 2023.

The parts of the network that were compromised contained files that included information such as names, Social Security numbers, driver’s license or state identification numbers, dates of birth, biometric data, medical information, health insurance information, account numbers, and workplace evaluations. Following the attack, Regional Family Medicine enhanced its security measures to prevent similar breaches from occurring in the future. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

Florida Community Care Affected by MOVEit Hack at ILS

Florida Community Care, LLC, a Miami-Dade County, FL-based health plan has recently confirmed that information of 30,891 of its members was compromised when a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution was exploited. Progress Software released a patch for the flaw on May 31, 2023, however, the flaw had already been exploited.

The MOVEit Transfer tool was used by its business associate, Independent Living Systems. No Florida Community Care systems were compromised. The compromised information included names, subscriber numbers, and policy numbers. Independent Living Systems is notifying the affected individuals and is offering complimentary credit monitoring and remediation services.

Email Account Breach Reported by Neuromusculoskeletal Center of the Cascades

The protected health information of 22,328 patients of the Neuromusculoskeletal Center of the Cascades and the Cascade Surgicenter in Oregon has been exposed and potentially obtained by unauthorized individuals. Suspicious activity was identified in an employee’s email account on October 3, 2023. The investigation revealed multiple email accounts had been compromised between October 2, 2023, and October 3, 2023.

The review of the email accounts was completed on November 21, 2023, and confirmed they contained patient names along with one or more of the following: address, phone number, email address, date of birth, Social Security number, driver’s license/state ID number, financial account number, routing number, financial institution name, credit/debit card information, treatment/diagnosis information, prescription information, provider name, medical record number, Medicare/Medicaid ID number, health insurance information, treatment cost, and/or digital signature. Email security policies and procedures have been reviewed and updated and credit monitoring and identity theft protection services have been offered to the affected patients.

PHI Exposed in Phishing Attack on The Amani Center

Columbia County Child Abuse Assessment Center, which does business as The Amani Center in Oregon, identified suspicious activity in an employee email account on August 18, 2023. The investigation revealed several email accounts had been compromised in the attack, which affected several businesses and organizations in its community and resulted in unauthorized access to accounts between August 7, 2023, and August 18, 2023.

The review of the accounts was completed on October 19, 2023, and confirmed the following information had been exposed: names, medical information, medical record numbers, health insurance information, Social Security numbers, driver’s license numbers, financial account information, treatment/diagnosis information, prescription information, medical record/patient ID numbers, health insurance information, treatment cost information, or other information provided to The Amani Center.

No evidence of misuse of patient data has been found, and while the risk of data misuse is believed to be low, complimentary credit monitoring and identity protection services have been offered to the affected individuals. The breach was reported to the Office for Civil Rights as affecting 2,374 individuals.

The Children’s Home of Wyoming Conference Email Breach

The Children’s Home of Wyoming Conference in Binghamton, NY, a provider of community services to children and families, identified suspicious activity in two employee email accounts on June 13, 2023. After securing the accounts, the affected mailboxes were reviewed, and on September 12, 2023, it was confirmed that one of those accounts contained protected health information.

The affected individuals had previously received medical treatment from the Children’s Home of Wyoming Conference. The exposed information included names, dates of birth, Social Security numbers, addresses, medical record numbers, patient account numbers, health insurance information, diagnosis and treatment information, clinical and prescription information, and/or provider information. Notification letters were sent on November 10, 2023, along with information to help those people prevent any misuse of their data. The breach was reported to the Office for Civil Rights as affecting 1,111 individuals.

The post November 14, 2023, Healthcare Data Breach Round Up appeared first on HIPAA Journal.

Harrisburg Medical Center, which is part of the Southern Illinois Healthcare network, has recently started notifying 147,826 individuals that some of their personal and protected health information has been compromised. Notification letters about the Harrisburg Medical Center data breach started to be sent to the affected individuals on December 12, 2023; however, the cyberattack was detected a year previously on December 23, 2022.

According to the notification letter sent to the Maine Attorney General, Harrisburg Medical Center discovered and blocked the attack on December 23, 2022, and a third-party cybersecurity firm was engaged to conduct a forensic investigation to determine the nature and extent of the attack. The investigation confirmed that protected health information had been exposed between December 19, 2022, and December 23, 2023, and during that time, files were removed from its systems.

Harrisburg Medical Center said it conducted a review of the documents involved and confirmed on August 24, 2023 – 8 months after the attack was detected – that the files contained names and Social Security numbers, along with some or all of the following information: date of birth, diagnosis/conditions, lab results, and prescription information. Some individuals may also have had their health insurance information, driver’s license/state ID number, digital/electronic signature, and/or financial account number exposed or stolen. No explanation was given about why it took a further four months to issue individual notifications to the affected individuals.

Despite the data breach occurring in December 2022 and PHI being confirmed as involved on August 24, 2023, the incident is still not showing on the HHS’ Office for Civil Rights breach portal. The HIPAA Breach Notification Rule states that breaches must be reported within 60 months of discovery of the breach.

Unsurprisingly, given the length of time taken to notify the affected individuals and the lack of transparency, patients have been looking to take legal action over the breach and theft of their data. Several law firms have opened investigations with a view to filing class action lawsuits.

The post Harrisburg Medical Center Data Breach: PHI of 148,000 Individuals Compromised in 2022 appeared first on HIPAA Journal.