Western Washington Medical Group, a team of more than 100 providers serving patients in Snohomish, Skagit, Island, and Whatcom counties in Washington state, has recently reported a data breach to the HHS’ Office for Civil Rights (OCR) that has affected up to 350,863 patients.

At this stage, little is known about the Western Washington Medical Group data breach. The breach was reported to OCR on October 26, 2023, but there is no notice on the medical group’s website or the Washington Attorney General’s website at this stage. All that is currently known is this was a hacking/IT incident involving one or more network servers. Based on the HHS breach summary, the breach occurred at Western Washington Medical Group and did not involve any business associates.

This post will be updated when further information becomes available.

Dakota Eye Institute Reports Hacking.IT Incident Impacting 107,143 Patients

Bismarck, ND-based Dakota Eye Institute (DEI), has recently reported a data breach to OCR that involved the protected health information of up to 107,143 patients. DEI explained in its website substitute data breach notification that it experienced a cybersecurity incident and engaged third-party cybersecurity experts to assess, contain, and remediate the incident.

No information was provided about the nature of the breach when it was detected, for how long its systems were accessed or data was exposed, nor the types of information involved. The OCR breach report indicates no business associate involvement. Affected individuals are being notified by mail and have been offered complimentary credit monitoring services. DEI said it has reviewed and enhanced its data security policies and procedures to help reduce the likelihood of a similar event in the future.

Dallas County Investigating Attempted Ransomware Attack

Dallas County officials have confirmed that they detected a cybersecurity incident on October 19, 2023, which appears to have been an attempted ransomware attack. The cybersecurity experts engaged to assist with containing the incident were able to prevent any files from being encrypted. Access is thought to have been gained via a phishing email. The investigation into the breach is ongoing and little information has been released at this stage, such as whether sensitive data was exfiltrated in the attack. Further information will be released as the forensic investigation advances.

On October 28, 2023, the Play hacking group claimed responsibility for the attack and added Dallas County to its data leak site. Currently, no stolen data has been leaked on the dark web site; however, the threat group has given county officials until Friday, November 3, 2023, to make contact and pay the ransom, otherwise the stolen data will be published. The group does not state how much data was stolen, only that the data obtained includes private documents of Dallas County departments.

The Play hacking group is known to target government entities and was behind an earlier attack on the City of Oakland in California. The group published stolen data when the ransom was not paid. In that attack, they stole the personal data of city employees, including financial information, IDs, passports, and human rights violation information.

The post Western Washington Medical Group Reports 350,000-Record Data Breach appeared first on HIPAA Journal.