Allegheny County in Pennsylvania has recently confirmed that the protected health information of up to 689,686 individuals was compromised in a May 2023 hacking incident by the Clop threat group. Allegheny County was alerted about the breach on June 1, 2023, and it was confirmed that the group exfiltrated files containing sensitive data between May 28 and May 29, 2023. Allegheny County said it received assurances from the Clop group that the stolen data was deleted, per the group’s policy of only attacking and extorting money from businesses; however, affected individuals have been told to take steps to protect their personal information and to register for the complimentary credit monitoring and identity theft protection services that have been offered.

County officials confirmed that the compromised information included names, Social Security numbers, birth dates, driver’s license/state identification numbers, taxpayer identification numbers, student identification numbers, and for certain individuals, medical information such as diagnoses, treatment information, and admission dates, and health insurance and billing/claims information.

Sutter SeniorCare PACE, a nonprofit health plan based in Sacramento, CA, has also recently confirmed that it was affected and had plan member data compromised in the attacks. The file transfer solution was used by its business associate, Cognisight, LLC, which provides specialist healthcare management services. Cognisight was informed about the hacking incident on May 31, 2023, and its forensic investigation of the incident concluded on June 5, 2023. Sutter Senior Care was informed about the incident on July 12, 2023.

The information stolen in the attack included names, dates of birth, Social Security numbers, and health information such as patient identification numbers and diagnosis, treatment, and provider information. Credit monitoring and identity protection services have been offered to the affected individuals. The breach has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals were affected.

The post Sutter Senior Care and Allegheny County Have Data Compromised in MOVEit Transfer Hacks appeared first on HIPAA Journal.

The Chattanooga Heart Institute (CHI) in Tennessee has recently announced that it identified a cyberattack on its network on April 17, 2023. Action was immediately taken to prevent further unauthorized access and a third-party forensics vendor was engaged to investigate the incident and determine the nature and scope of the attack. The forensic investigation confirmed that unauthorized individuals gained access to its network between March 8, 2023, and March 16, 2023, and on May 31, 2023, the investigation confirmed that files containing sensitive patient data had been copied by the attackers.

CHI’s electronic medical record system was not compromised; however, the files removed from its system were found to contain names, mailing addresses, email addresses, phone numbers, birth dates, driver’s license numbers, Social Security numbers, account information, health insurance information, diagnosis/condition information, lab results, medications, and other clinical, demographic, or financial information. Notification letters will be sent to the affected individuals in the coming weeks and credit monitoring, fraud consultation, and identity theft restoration services will be offered.

The breach was recently reported to the Maine Attorney General as affecting up to 170,450 individuals. While CHI did not disclose which group was behind the attack, the Karakurt group has claimed responsibility for the attack. Karakurt is a relatively new threat group that has no qualms about attacking healthcare organizations.

58,000 Individuals Affected by Cyberattack on Synergy Healthcare Services

Synergy Healthcare Services (SHS) in Atlanta, GA, has recently reported a data breach to the Maine Attorney General that has affected up to 58,034 patients of its healthcare clients: Consulate Health Care, Raydiant Health Care, Independence Living Centers, and their affiliated care centers.

The administrative service provider said suspicious activity was detected within its network in early December 2022, and the forensic investigation confirmed on December 15, 2022, that an unauthorized third party accessed parts of its computer network where personal health information was stored. A third-party data review company was provided with the files on December 22, 2022, and provided the results of the analysis to SHS on May 16, 2023.

The files contained information such as names, birthdates, signatures, insurance details, contact information, government identification numbers including driver’s licenses and Social Security numbers, medical history/treatment information, and financial information. Complimentary credit monitoring services have been offered to the affected individuals and steps have been taken to harden security to prevent similar incidents in the future.

Cheyenne Radiology Group & MRI Reports December 2022 Ransomware Attack

Cheyenne Radiology Group & MRI, P.C. (CRG), in Wyoming, has recently issued notifications to its patients about a ransomware attack that was discovered and stopped on December 12, 2022. According to the notification letters, the attack disabled some of its computer systems, and while data theft was not confirmed, the possibility that information was removed from its systems could not be ruled out. Third-party forensics specialists investigated the incident and confirmed that the files potentially accessed included names, mailing addresses, birth dates, Social Security numbers, driver’s license numbers, and health insurance information. CRG said it wiped and rebuilt all affected systems and has hardened security to prevent similar breaches in the future. The incident was recently reported to the Maine Attorney General as affecting up to 10,420 individuals.

The post Up to 170,450 Patients Affected by Cyberattack on the Chattanooga Heart Institute appeared first on HIPAA Journal.