Longhorn Imaging Center Cyberattack Affects More than 100,000 Patients

Posted by Steve Alder

Data breaches have recently been announced by Longhorn Imaging Center in Texas, Woodfords Family Services in Maine, Prestige Care/Prestige Senior Living in Washington, WellLife Network Inc. in New York, and Frederiksted Health Care in the U.S. Virgin Islands.

Longhorn Imaging Center Data Breach

South Austin Health Imaging LLC, which does business as Longhorn Imaging Center in Austin, TX, has recently reported a hacking incident to the HHS’ Office for Civil Rights that has affected 100,643 patients. According to the breach notice submitted to the Texas Attorney General, the breached information included full names, addresses, dates of birth, medical information, and health insurance information. Notification letters are now being sent to the affected individuals.

There is currently no substitute breach notice on the Longhorn Imaging Center website and the imaging center has yet to confirm exactly what happened, including when the breach occurred and when it was detected; however, this appears to have been an attack by the SiegedSec threat group – the group behind the recent attack on the Idaho National Laboratory.

In early June, the group added Longhorn Imaging Center to its data leak site and claimed it had exfiltrated a database that included “physician full names, patient full names, patient treatment info, patient data of birth, patient gender, treatment date, institution name, and lost more.”

Woodfords Family Services Data Breach

Woodfords Family Services, a Westbrook, ME-based provider of services to people with special needs and their families, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 6,691 individuals.

According to its substitute breach notification, the forensic investigation confirmed that its network was accessed by an unauthorized third party on or around June 19, 2023, and files containing a limited amount of personal information may have been removed from its network. The document review confirmed the files contained full names in combination with one or more of the following: address, date of birth, phone number, email address, Social Security number, driver’s license number, government-issued identification number, medical record number, full face photo, unique identifier, certificate/license number, financial account information, credit/debit card information, passport number, medical treatment/diagnosis information, and/or health insurance policy information.

Affected individuals were notified on November 10, 2023, and complimentary credit monitoring services have been offered to individuals whose Social Security numbers were exposed.

Prestige Care Data Breach

Prestige Care/Prestige Senior Living in Washington has recently announced that it fell victim to a cyberattack that was detected on or around September 7, 2023, that resulted in its network being infected with malware that prevented access to certain files. The investigation confirmed the unauthorized actor accessed files on its systems the same day the breach was detected.

The investigation and file review are ongoing, and the total number of individuals affected has yet to be determined, although Prestige has said the information of current and former employees and residents was compromised in the attack. The impacted information varies from individual to individual and may include names, Social Security numbers, dates of birth, medical information, and health insurance information. Notification letters will be sent to the affected individuals when the review is completed. To meet regulatory breach reporting requirements, the incident has been reported to the HHS’ Office for Civil Rights as affecting at least 501 individuals. The total will be updated when the review is completed.

The HIPAA Journal previously reported that the ALPHV/BlackCat ransomware group claimed responsibility for the attack and had added Prestige to its data leak site and claimed to have stolen 260 GB of data. While the listing is still on the leak site, no data is currently downloadable.

WellLife Network Inc. Data Breach

WellLife Network Inc., a New York-based provider of behavioral health services, has recently issued an interim notification about a cyberattack that was detected on September 7, 2023. Third-party cybersecurity specialists were engaged to investigate unauthorized network activity and confirmed that an unauthorized third party accessed its network between August 26, 2023, and September 7, 2023, and viewed and/or copied files containing patient information.

The WellLife Network has started a manual and programmatic review of the affected files to determine the affected data and the number of individuals impacted. That review is ongoing, but it appears that the types of information involved include name, date of birth, demographic information, and/or other personal or health information. Individual notifications will be sent to the affected individuals when the review is completed. To meet regulatory breach reporting requirements, the incident has been reported to the HHS’ Office for Civil Rights as affecting at least 501 individuals. The total will be updated when the review is completed.

Frederiksted Health Care Data Breach

Frederiksted Health Care, Inc., a healthcare provider serving patients in the St. Croix community in the U.S. Virgin Islands, confirmed to local media in late October that it had suffered a cyberattack. Steps were immediately taken to secure its systems and an investigation was launched to determine the nature and scope of the incident. Local media reports indicate this was a ransomware attack. The healthcare provider has recently reported the incident to the HHS’ Office for Civil Rights as affecting 600 individuals.

The post Longhorn Imaging Center Cyberattack Affects More than 100,000 Patients appeared first on HIPAA Journal.

Warren General Hospital Data Breach Affects 169,000 Patients

Posted by Steve Alder

Data breaches have recently been reported by Warren General Hospital in Pennsylvania, Southwest Behavioral Health Center in Utah, CareTree in Illinois, and the Medical University of South Carolina.

Warren General Hospital Data Breach

On November 9, 2023, Warren General Hospital (WGH) in Warren, PA, announced it had fallen victim to a cyberattack that potentially affected the confidential information of current and former patients and employees. Suspicious activity was detected within its network on September 24, 2023. Assisted by third-party cybersecurity experts, WGH determined that an unauthorized actor had access to its network between September 15, 2023, and September 23, 2023, and during that time, downloaded files from its network.

The review of the files confirmed they contained names, in combination with one or more of the following:  address, date of birth, Social Security number, financial account information, payment card information, health insurance claims information, and medical information, which may have included diagnosis, medications, lab results, and other treatment information.

WGH said existing policies and procedures have been reviewed, administrative and technical controls have been enhanced, and additional security training has been provided to the workforce. The breach was recently reported to the HHS’ Office for Civil Rights as affecting 168,921 patients.

Southwest Behavioral Health Center Data Breach

Southwest Behavioral Health Center, a Saint George, UT-based provider of mental health treatment and psychiatric services, has recently reported a data breach to the HHS’ Office for Civil Rights that affected 17,147 current and former patients.

A security breach was detected on March 13, 2023, and a third-party cybersecurity firm was engaged to investigate and determine the extent to which patient data had been compromised. The investigation revealed an unauthorized third party gained access to parts of its system containing files that included patient data prior to March 13, 2023l however, it was not possible to determine the specific files that may have been accessed or copied from its network.

The review of the files potentially involved confirmed they contained patient data such as names, dates of birth, Social Security numbers, personal health record information, and medical information. After verifying contact information, notification letters started to be issued on November 9, 2023, to all patients that had potentially been affected.

Medical University of South Carolina Data Breach

The Medical University of South Carolina (SUMC) in Charleston has been affected by a data breach at one of its third-party vendors. Westat collects data from SUMC patients on behalf of the Centers for Disease Control and Prevention (CDC) for public health reporting purposes. Westat used Progress Software’s MOVEit Transfer file transfer solution, a zero-day vulnerability in which was exploited by the Clop hacking group between May 28 and May 29, 2023. Westat has already reported the breach to the HHS’ Office for Civil Rights in two separate reports, one affecting 50,065 individuals and a second affecting 20,045. SUMC reported the breach as affecting 1,758 individuals and said it involved names, addresses, dates of birth, diagnoses, provider names, and insurance information.

CareTree Data Breach

CareTree Inc., a Chicago, IL-based provider of smart care management and patient advocate software for care providers, has recently confirmed there has been unauthorized access to the CareTree platform. Suspicious activity was detected within its platform on or around August 16, 2023. The forensic investigation confirmed access to the platform was gained on July 21, 2023.

The review of the affected files confirmed that they contained the information of 1,097 CareTree patients; however, CareTree was unable to confirm the specific information exposed for each patient because the information is no longer available. The types of information potentially compromised included names, addresses, driver’s license numbers, Social Security numbers, financial account information, dates of birth, medical information including diagnosis, lab results, medications or other treatment information, and/or health insurance information. In its substitute breach notice, CareTree said, “CareTree will provide notice of this event to all individuals whose personal information was involved, along with information and steps potentially impacted individuals can take to better protect their information.”

The post Warren General Hospital Data Breach Affects 169,000 Patients appeared first on HIPAA Journal.