Morris Hospital & Healthcare Centers in Illinois has started notifying 248,943 individuals about a cyberattack that was detected on April 4, 2023. When the breach was detected, third-party cybersecurity experts were engaged to investigate and determine the nature and scope of the incident and confirmed that files containing protected health information had been exfiltrated from its systems by unauthorized individuals.

The stolen files included the protected health information of current and former patients, employees, and their dependents and beneficiaries, including names, addresses, dates of birth, Social Security numbers, medical record numbers, account numbers, and diagnostic/treatment codes. While there has been no detected misuse of the stolen data, affected individuals have been advised to be cautious and take advantage of the complimentary identity theft resolution services that have been offered.

Morris Hospital & Healthcare Centers did not state the identity of the attackers in the notification letters, nor mention the nature of the attack. The HIPAA Journal can confirm that the Royal Ransomware group has claimed responsibility for the attack and added Morris Hospital to its dark web data leak site on May 22, 2023, along with some of the data that was compromised in the attack.

Jefferson Health DEXA Scan Backup Drive Lost or Stolen

Jefferson Health has recently started notifying patients of its Cherry Hill Hospital in New Jersey that some of their protected health information may have been compromised. Data was stored on a backup drive that was connected to its DEXA scan device. During routine maintenance, its vendor discovered the backup drive to be missing. An investigation was launched; however, it was not possible to determine what happened to the drive and it has been presumed lost or stolen.

The backup drive contained names, dates of birth, medical record numbers, study dates, and, for some individuals, mailing addresses. The device also included other information, but it could not be accessed without valid credentials and the appropriate software and technology. That information included diagnoses, phone numbers, Social Security numbers, insurance information, driver’s license numbers, and scans. Jefferson Health said it is reviewing and enhancing its security protocols to prevent similar incidents in the future.

The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Pathways to Wellness Medication Clinics Reports Ransomware Attack

Patients of Pathways to Wellness Medication Clinics in Oakland, Union City, and Pleasanton in California have been notified that some of their protected health information was exposed in a cyberattack that was detected on March 28, 2023. An unauthorized individual gained access to and disabled its network. Third-party cybersecurity experts were engaged to investigate the breach and secure its systems and technical safeguards have been reviewed and are being updated to better protect patient data.

While no reports of misuse of patient data had been received up to July 5, 2023, data theft may have occurred. The exposed information included: first name, last name, address, health insurance information, provider name, Social Security number, date of birth, and gender. Affected individuals have been offered complimentary single bureau credit monitoring services. The incident has not yet been added to the Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

The post Morris Hospital & Healthcare Centers Notifies Almost 249,000 Patients About April Cyberattack appeared first on HIPAA Journal.

El Centro Del Barrio, doing business as CentroMed in San Antonio, TX, has alerted 350,000 patients that some of their protected health information was potentially compromised in a hacking incident that was detected on June 12, 2023. The forensic investigation confirmed that some of its IT systems were accessed by unauthorized individuals on June 9, 2023, and access to files containing protected health information was confirmed and data theft could not be ruled out. The affected files contained the information of current and former patients, employees, and employee and provider spouses, partners, and dependents.

The affected patient data included names, addresses, dates of birth, Social Security numbers, financial account information, medical records numbers, health insurance plan member IDs, and claims data (including any diagnoses listed on claims). Employee and spouse/partner/dependent information data included names, Social Security numbers, financial account information, health insurance plan member IDs, and claims data. The affected individuals started to be notified by mail on August 11, 2023. CentroMed said additional safeguards and technical security measures have been implemented to prevent similar breaches in the future.

MOVEit Transfer Hacking Victims

Several more organizations have confirmed that they had data stolen by the Clop hacking group, which exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution.

Unum Group

Unum Group has confirmed that the protected health information of 531,732 individuals was compromised. Suspicious activity was detected within its environment on June 1, 2023, and it was confirmed on July 22, 2023, that the following data types had been compromised: name, date of birth, address, Social Security number or individual tax identification number, medical, health insurance claim, and policy information. A limited number of individuals also had financial information and/or other government-issued identification numbers compromised. Credit monitoring and identity protection services have been offered.

UMass Chan Medical School

UMass Chan Medical School said the protected health information of 134,000 individuals was compromised in the attack. The breach was discovered on June 1, 2023, and it determined the individuals and compromised data types on July 27, 2023. The information involved varied from individual to individual and may have included the following data types: name, date of birth, mailing address, diagnosis/treatment information, prescription information, provider name, date(s) of service, claim information, health insurance member ID number, other health insurance-related information, Social Security number, and financial account information. Credit monitoring and identity protection services have been offered.

Sovos Compliance

Sovos Compliance, a provider of tax compliance and business-to-government reporting software, reported its breach to the Maine Attorney General as affecting a total of 18,513 individuals, although its OCR breach report indicates the PHI of 4,563 individuals was compromised in the attack. The breach was discovered on June 12, 2023, and the investigation confirmed personally identifiable information and Social Security numbers had been stolen. Credit monitoring and identity protection services have been offered.

Data Media Associates

Data Media Associates, a billing service provider to UB Dental Clinic in Buffalo, NY, said its investigation confirmed on July 20, 2023, that the data of 765 UB Dental patients was compromised. The breach was limited to patients who received billing statements between May 4 and May 26, 2023. The compromised information involved the following data elements: practice demographics, patient account number, patient name, guarantor demographics, statement date, amount due, service date, service/payment descriptions, charge amount, payments, or adjustments.

The post CentroMed Notifies 350,000 Individuals About PHI Exposure appeared first on HIPAA Journal.