The realm of healthcare is considered one of the most sacrosanct, prioritizing patient welfare above all. Yet, as the global shift to digital continues to gain momentum, the vulnerabilities associated with it have also increased. The year 2023 has witnessed several major data breaches, many of which hit the healthcare sector, exposing millions of patient records and sensitive information. As we continue to navigate the digital age, it’s crucial to be aware of these incidents, not just as cautionary tales, but as reminders of the importance of stringent healthcare cybersecurity measures. Here’s a closer look at the biggest healthcare data breaches this year.
1. Managed Care of North America: Breach Impacting 8.9 Million Individuals
On May 30, 2023, a shocking revelation hit the headlines – Managed Care of North America, Inc. (MCNA), which operates under the name MCNA Dental, reported a massive data breach. The breach has affected a staggering 8,923,662 individuals, making it the largest healthcare data breach of the year so far. To add to the gravity, this is the second breach this month that exposed over 5 million healthcare records.
Timeline and Details
- Discovery: The breach was first discovered by MCNA on March 6, 2023. Investigations revealed that an unauthorized entity gained access to specific systems within MCNA’s IT network between February 26 and March 7, 2023.
- Action Taken: Immediately after detecting the unauthorized activity, MCNA contained the threat and engaged a third-party cybersecurity firm to assess the intrusion and ascertain its scope.
- Information Compromised: A comprehensive review of the potentially accessed or copied files unveiled that they contained a plethora of protected health information, including but not limited to:
- Personal identifiers such as names, addresses, email addresses, and phone numbers.
- Vital information like birth dates, Social Security numbers, driver’s license numbers, and government-issued ID numbers.
- Health-related data including health insurance details, Medicare/Medicaid ID numbers, group plan names and numbers, and specifics about the dental and orthodontic care received by individuals.
MCNA officially stated that the type of information compromised differed for each individual and they currently have no knowledge of any actual or attempted misuse of the breached data.
Aftermath: As part of its response to the breach, MCNA has enhanced its security measures and monitoring protocols to reduce the risk of similar incidents in the future.
The notorious LockBit ransomware group claimed responsibility for this attack. As a grisly proof of their data theft, they leaked some of the stolen data on their dark web data leak site. They demanded a ransom of $10 million to prevent the full release of the data. As the ransom was not met, the group released the stolen files on April 7, 2023.
Conclusion
It’s evident that cyber threats, especially in sensitive sectors like healthcare, are more aggressive than ever. The breach at MCNA serves as a wake-up call for organizations to prioritize cybersecurity and ensure that patient data remains confidential and secure.
Stay tuned for our updates on the other significant breaches that shook the healthcare sector this year. As we proceed with our list, remember that knowledge and awareness are the first steps to better security.
2. PharMerica Data Breach: Impacting Almost 6 Million Individuals
On May 17, 2023, the healthcare community faced another blow when the breach of PharMerica, and its parent company, BrightSpring Health Services, was publicly confirmed. Touted as one of the most significant healthcare data breaches reported by a single HIPAA-covered entity in 2023, the incident affected a staggering 5,815,591 individuals.
Timeline and Details
- Announcement: The breach was first publicized in late March 2023 by the Money Message ransomware group. They declared having successfully infiltrated the systems of both PharMerica and BrightSpring Health Services. Consequently, both entities found themselves listed on the group’s data leak site.
- The Magnitude: The ransomware group boasted about exfiltrating databases that contained a massive 4.7 terabytes of data, encompassing records of over 2 million individuals. PharMerica later confirmed this grim revelation, laying bare the depth of the intrusion.
- Company Profile: As one of the predominant providers of pharmacy services in the US, PharMerica operates over 2,500 facilities and more than 3,100 pharmacy and healthcare programs, underscoring the potential impact of the breach.
- The Investigation: PharMerica detected suspicious activity on its computer network on March 14, 2023. Subsequently, the network was isolated, and a thorough investigation was initiated. Leveraging the expertise of third-party cybersecurity professionals, it was deduced that an unknown entity had access to their systems between March 12 and March 13, 2023.
- Information Compromised: By March 21, 2023, PharMerica recognized the nature of compromised data, which comprised:
- Basic personal identifiers like names and addresses.
- Vital data points including birth dates and Social Security numbers.
- Health-specific details such as medication information and health insurance details.
While PharMerica did not acknowledge a ransomware attack or any data being published online, they assured that there was no evidence suggesting the misuse of the compromised data for fraudulent activities or identity theft.
Measures Taken:
- All affected individuals were promptly notified.
- They were provided complimentary credit monitoring and identity theft protection services for a 12-month period.
- Further guidance was issued to the patients and those managing deceased patients’ estates, advising them to get in touch with national credit reporting agencies. This is to ensure deceased individuals’ credit files are marked appropriately, and to notify next of kin or law enforcement should there be any attempt to misuse the information.
- PharMerica, in its commitment to safeguarding its stakeholders, has instituted additional technical cybersecurity measures to thwart similar breaches in the future.
Conclusion
PharMerica’s breach underscores the pressing need for healthcare organizations, irrespective of their scale, to invest continuously in top-tier cybersecurity protocols. It’s not just about financial implications but safeguarding the trust and well-being of millions of patients.
3. Ransomware Attack on Regal Medical Group: Implicating Numerous Healthcare Entities 3.3 Million Impacted
A multi-faceted breach unfolded, highlighting the vulnerability of even the most intricate medical networks, when Regal Medical Group, encompassing a wide range of affiliated medical entities, fell prey to a ransomware cyberattack. This breach delineates a haunting episode that potentially jeopardized the personal details of countless patients.
Timeline and Details
- Discovery: Regal identified the breach on December 8, 2022, which transpired around December 1, 2022. On December 2, the difficulty in accessing specific servers was observed by Regal employees. Following a meticulous evaluation, malware was identified on a portion of their servers, exploited by threat actors to access and exfiltrate data.
- Intervention: Third-party vendors, specializing in cybersecurity breaches, were swiftly engaged by Regal to address the incident. Restoration of system access was promptly achieved by the Regal team alongside these vendors. In the subsequent months, a comprehensive analysis of the compromised data was conducted, and by February 2023, affected individuals were informed of the breach. The aftermath worsened in March 2023 when the realization dawned that the servers affected by the breach housed data pertaining to an even larger group of potentially affected individuals.
- Nature of the Compromised Data: For the patients potentially embroiled in this breach, the spectrum of compromised personal information was vast:
- Fundamentals like name, address, phone number.
- Sensitive data, such as social security numbers (for a subset of the affected population), diagnosis, treatments received, laboratory test results, prescription data, radiology reports, Medicare ID numbers, health plan member numbers, and birth dates.
Countermeasures Deployed by Regal
- Notifying the affected individuals and pledging transparency.
- Offering a year’s coverage for credit monitoring via Norton LifeLock.
- Bolstering computer security measures to preempt unauthorized access.
- Informing law enforcement, the US Department of Health and Human Services, Office for Civil Rights, the California Attorney General, and other pertinent regulatory bodies.
- Engaging with local media outlets to ensure comprehensive awareness about the breach.
Recommendations for Affected Individuals
- To reinforce protection against potential identity theft, individuals are urged to:
- Register a fraud alert with major credit bureaus: Experian, TransUnion, and Equifax.
- Maintain vigilant scrutiny of account statements, credit bureau reports, and Explanation of Benefit forms.
- Engage with state Consumer Protection Agencies.
- In situations where one’s personal information appears to be misused, reach out to local law enforcement or consult the Federal Trade Commission for guidance on identity theft.
Conclusion
Regal’s incident reiterates the critical importance of robust, preemptive cybersecurity measures for healthcare institutions. The breach, although daunting, provides an opportunity to address systemic vulnerabilities and implement preventative strategies to ensure patient data’s integrity remains uncompromised.
4. Cerebral Inc.: Exposing Data through Tracking Analytics
Cerebral Inc., a prominent healthcare entity, recently reported a substantial breach, revealing how even the seemingly benign mechanisms of analytics and tracking can be manipulated to expose crucial data. Here’s an insight into this data debacle:
Details of the Breach
- Affected Count: 3,179,835 individuals.
- Data Exposure: As disclosed by Cerebral Inc., the entity employed pixels and tracking technologies on its mobile apps and websites, which inadvertently shared an array of personal data, including protected health and financial information.
- Duration: Cerebral has been sharing this sensitive data since 2019.
- Specifics of Exposed Information:
- For Account Creators: Name, phone number, email address, date of birth, IP address, Cerebral client ID number, and demographic details.
- For Self-Assessment Participants: Data on chosen services, responses to the assessment, and specific health data.
- For Subscription Purchasers: Subscription type, booking details, treatment and clinical data, health insurance details (like plan name, member/group numbers), and insurance co-pay amounts.
- Revelation Source: Information was revealed by Cerebral through email communication to its users. It was also reported that sensitive data may have been shared with prominent social media platforms and other sites using ad trackers, such as Google, Meta (Facebook), and TikTok.
Repercussions
- Legal Ramifications: There’s a mention of a class action lawsuit in the aftermath of this breach. This hints at the profound implications for Cerebral Inc. and the heightened scrutiny they’re likely to face.
- Official Statement: Chris Savarese, the Senior Director of Communications for Cerebral, elucidated that the Department of Health and Human Services (HHS) rolled out new guidance in December regarding what constitutes individually identifiable health information (IIHI) and protected health information (PHI). The implications of this guidance are anticipated to be profound, especially for the telehealth sector. In line with this, all data derived from a healthcare website or app will be treated as PHI. Following the release of this clarification, Cerebral has modified its data transmission practices, placing a keen emphasis on patient privacy.
Conclusion
In the realm of today’s interconnected digital landscape, the breach faced by Cerebral Inc. underscores the perils of unchecked data sharing mechanisms, especially for healthcare entities. By shedding light on the unsuspected vulnerabilities tied to tracking analytics, it serves as a clarion call for the industry to bolster its security frameworks, ensuring that patient confidentiality remains sacrosanct.
5. NationsBenefits Holdings: Breach through Fortra’s GoAnywhere MFT File Transfer
NationsBenefits Holdings, an established provider of supplemental benefits and health plan solutions, recently grappled with a significant security breach. The root of the breach was Fortra’s GoAnywhere MFT file transfer solution, which fell prey to the notorious Clop ransomware group. Here’s a detailed breakdown of this high-profile incident:
Details of the Breach
- Affected Count: 3,037,303 health plan members.
- Breach Modus Operandi: The hackers utilized a zero-day vulnerability in Fortra’s GoAnywhere MFT solution. Exploiting this previously unknown vulnerability allowed them to pilfer data from susceptible on-premises MFT servers.
- Data Exposure Period: The hackers infiltrated NationsBenefits’ data systems on January 30, 2023.
- Nature of Data Exposed:
- Key Health Plans Affected: Aetna ACE, Elevance Health Flexible Benefit Plan, and UAW Retiree Medical Benefits Trust.
- Type of Information Compromised: Personal details such as first and last name, address, phone number, date of birth, gender, along with critical identifiers like health plan subscriber ID number, Social Security number, and/or Medicare number.
- Ransom Situation: The Clop ransomware group, having exfiltrated the data, demanded a ransom. The payment was intended to stave off the potential public release of the pilfered data.
Repercussions & Subsequent Action
- Other Victims: Apart from NationsBenefits, other entities like Community Health Systems (1 million affected) and Brightline (at least 964,300 affected) also fell prey to the breach, making NationsBenefits the most significantly impacted healthcare entity. Cumulatively, over 4 million individuals saw their health data compromised due to these attacks.
- Incident Discovery: NationsBenefits was alerted to the breach on February 7, 2023, at 16:02, when its security monitoring system flagged unauthorized access. Upon this detection, Fortra was brought on board to aid the investigation.
- Breach Containment: The subsequent internal investigation ascertained that the threat actors, while gaining access to the MFT servers, did not extend their infiltration to other systems or applications under NationsBenefits.
- Security Measures: Before the incident, NationsBenefits had multiple security controls in place. Post the breach, the firm has enhanced these measures for fortified security. The compromised MFT servers have been taken offline permanently. The firm has now opted for an alternative file transfer system, sidelining Fortra’s software.
- Communication & Damage Control: Affected individuals were intimated of the breach via letters starting from April 13, 2023. As a remedial measure, NationsBenefits has offered complimentary credit monitoring services for two years.
Conclusion
NationsBenefits Holdings’ data breach serves as a stark reminder of the escalating cybersecurity threats that organizations, particularly in the healthcare sector, face. The breach underscores the importance of relentless vigilance, timely upgrades, and the need for entities to be agile in responding to potential vulnerabilities in their digital ecosystems.
6. Harvard Pilgrim Health Care Ransomware Attack
Harvard Pilgrim Health Care (HPHC), a notable health services provider based in Massachusetts, recently grappled with a significant ransomware breach. The situation saw a staggering 2.5 million individuals, equivalent to nearly all its members, having their sensitive data accessed and potentially stolen by cyber attackers. Below is a comprehensive outline of the incident:
Details of the Breach
- Affected Count: 2,550,922 individuals.
- Breach Modus Operandi: Cyber attackers unleashed a ransomware attack on HPHC’s systems.
- Data Exposure Period: The malicious actors maintained unfettered access to HPHC’s systems from March 28 to April 17, 2023.
- Nature of Data Exposed:
- The exposed information encompasses:
- Personal identifiers: Full names, physical addresses, phone numbers, dates of birth, and Social Security numbers.
- Insurance details: Health insurance account information and provider taxpayer identification numbers.
- Clinical data: Medical history, diagnoses, treatment details, dates of service, and provider names.
- The breach impacts both current and previous members of HPHC who registered starting March 28, 2012.
- The exposed information encompasses:
- Ransom Situation: While the data was ransomed, no cyber group has officially claimed responsibility as of now. The modus operandi of ransomware gangs often sees them leveraging stolen data to exert pressure on victims, coercing them to acquiesce to ransom demands. In the event of non-compliance, the data might be peddled to other malicious actors or even disclosed to the public.
Repercussions & Subsequent Action
- Official Announcement: HPHC took to the U.S. Department of Health and Human Services breach portal to report the severity of the incident. They also released an official notice that highlighted key details of the breach.
- Incident Discovery: HPHC became cognizant of the breach on April 17, 2023.
- Breach Containment & Analysis: In their efforts to dissect the incident and determine its breadth, HPHC brought third-party cybersecurity experts onboard. The initial probe confirmed data exfiltration from HPHC’s systems.
- Damage Control Measures:
- HPHC has undertaken a thorough review and analysis of its systems.
- They’ve assured the affected parties that no cases of stolen data misuse have surfaced as yet.
- To assuage the concerns of the affected individuals, HPHC has provided credit monitoring and identity theft protection services.
- Guidance for Affected Individuals: HPHC underscores the gravity of the stolen data and warns of the potential risks of phishing or social engineering attacks. Affected members are urged to remain wary of unsolicited messages and maintain heightened vigilance.
Conclusion
HPHC’s ordeal is a testimony to the escalating cyber threats plaguing the health sector. The incident sheds light on the vulnerabilities inherent in digital systems and underscores the imperative need for robust security protocols. As the industry becomes increasingly digitalized, investing in advanced cybersecurity measures is paramount.
7. Enzo Biochem Ransomware Attack
Enzo Biochem, a distinguished New York-based life sciences enterprise, encountered a serious ransomware attack in April 2023. Notably, this incident ranks as one of the most significant in 2023 in terms of the sheer volume of affected individuals. Here’s a detailed summary of the episode:
Details of the Breach
- Affected Individuals: The breach jeopardized the clinical test details of approximately 2.5 million people, with about 600,000 Social Security numbers getting exposed.
- Breach Modus Operandi: Malicious actors gained unauthorized access to Enzo Biochem’s network and proceeded to steal clinical test data.
- Nature of Data Exposed:
- Clinical test details of 2,470,000 individuals.
- Social Security numbers of about 600,000 individuals.
- Disclosure: The incident was unveiled to the Securities and Exchange Commission (SEC) in an 8-K filing on May 30, 2023. However, it hasn’t been reported to HHS up to the present.
Company Profile & Operations
- Business Overview: Enzo Biochem specializes in research, diagnostic services, and treatments for an array of diseases, encompassing cancer, metabolic disorders, and infectious ailments. They also offer diagnostic tests for COVID-19, genetic disorders, and sexually transmitted diseases.
- HIPAA Relevance: Enzo Biochem is HIPAA-compliant and functions through three primary subsidiaries: Enzo Therapeutics, Enzo Life Sciences, and Enzo Clinical Labs. As a clinical laboratory, they fall under the purview of the Clinical Laboratory Improvement Amendments of 1988 (CLIA). Consequently, they’re classified as a “Covered Entity” healthcare provider, rendering them answerable to HIPAA stipulations.
Repercussions & Subsequent Actions
- Operational Measures: Post the discovery of the breach on April 11th, Enzo Biochem promptly disconnected its systems from the internet, ensuring its operations remained unhindered. However, this led to a few operational challenges, especially with processing laboratory specimens.
- Financial Implications: Enzo Biochem acknowledged the financial ramifications arising from the cyber-attack, which include costs associated with addressing and analyzing the incident.
- Legal & Regulatory Repercussions:
- Breaches like this can invite investigations, particularly from the Office for Civil Rights (OCR) at HHS, due to potential HIPAA violations.
- Lawsuits are already on the horizon. The first known lawsuit was filed on June 9, 2023, and is titled “Epstein vs. Enzo Clinical Labs, Inc. and Lab Corporation of America Holdings”. This proposed class action argues that the defendants exhibited negligence in implementing adequate data security measures.
- An additional law firm is actively seeking affected patients for a similar lawsuit against Enzo.
Key Takeaways & Recommendations
- Proactive Prevention: The best defense against ransomware and other cyber threats lies in anticipation and prevention. A diligent adherence to HIPAA guidelines can serve as a roadmap to stave off cybercrimes, including ransomware-induced breaches.
- Invest in Compliance: Annual risk analyses, proactive investments in cybersecurity enhancements, and consistent workforce training can help fortify defenses against cyber intrusions. Leveraging resources like the Stop Ransomware Guide by CISA and FBI can be beneficial.
- Financial Prudence: Compliance and preventive measures are invariably more cost-effective than protracted investigations and legal battles that can extend for extended durations.
8. ZOLL Medical Cyberattack and Data Breach 1 million individuals impacted
In a recent disclosure, ZOLL Medical, a reputed entity in the domain of emergency care medical devices, acknowledged a substantial cyberattack that put the personal health data of over a million individuals at risk. Here’s a breakdown of the incident:
Overview
- Company Profile: ZOLL Medical specializes in the production and marketing of emergency care medical equipment. Their product line includes resuscitation tools, ventilation devices, oxygen therapy equipment, cardiac monitoring products, and corresponding software solutions.
- Breach Magnitude: More than one million patients had their protected health data exposed.
- Nature of Exposed Data: The data accessed included:
- Names
- Addresses
- Dates of birth
- Social Security numbers
Incident Timeline & Details
- Initial Detection: ZOLL Medical discerned anomalous activity within their internal network on January 28, 2023.
- Forensic Findings: A detailed forensic investigation was conducted, which ascertained on February 2, 2023, that unauthorized users had breached parts of their network. These segments contained sensitive patient information, particularly of those who either utilized or were evaluated for the ZOLL LifeVest wearable cardioverter defibrillator (WCD).
- Nature of Attack: The company hasn’t provided a comprehensive account of the cyberattack’s specifics. It remains unclear if the attack involved malware or ransomware, and if any data was transferred out of the company’s systems. However, they emphasized that there’s no current evidence suggesting misuse or attempted misuse of the exposed patient information.
Post-Incident Actions & Precautions
- Notifications: Affected individuals are currently receiving notification letters.
- Protective Measures: Though there’s no confirmed data misuse, ZOLL Medical is taking proactive steps to counter potential threats. They are offering complimentary credit monitoring and identity theft protection services to the impacted individuals for a span of 24 months.
- Security Enhancements: In the wake of this cyberattack, ZOLL Medical has expressed their commitment to reviewing and, if necessary, bolstering their security protocols. The objective is to preclude similar incidents in the future.
- Public Records & Reports: A formal notification was dispatched to the Maine Attorney General, which specifies that a total of 1,004,443 individuals were affected. The HHS’ breach portal reflects slightly different numbers, pointing to 997,097 affected individuals.
Historical Context
- Previous Data Breach: This isn’t ZOLL Medical’s inaugural tryst with data breaches. Back in 2018, an external software vendor’s oversight led to the exposure of the health data of about 277,000 users of ZOLL Medical’s equipment. The incident was attributed to a server migration error at Barracuda Networks, which inadvertently exposed portions of its email archive online.
9. Community Health Systems GoAnywhere Data Breach
In February, Community Health Systems, a leading health care provider, disclosed a significant security breach associated with its file transfer software, GoAnywhere MFT by Fortra. This incident brought to light potential vulnerabilities in third-party platforms that large healthcare institutions rely on. Here’s a summary:
Overview
- Entity: Community Health Systems.
- Software Affected: Fortra’s GoAnywhere MFT.
- Perpetrator: The Clop ransomware gang claimed responsibility for the intrusion.
- Breach Magnitude: The potential compromise of the protected health information of up to 1 million individuals.
Incident Timeline & Details
- Initial Detection & Action: On the evening of January 30, 2023, Fortra noticed a security anomaly and promptly took the system offline by January 31, 2023.
- Breach Period: Unauthorized access to the system was achieved between January 28, 2023, and January 30, 2023.
- Notification: Community Health Systems was informed about the breach by CHSPSC on February 2, 2023.
- Nature of Attack: The attackers claimed to have extracted data from around 130 users of the GoAnywhere software. Unlike typical ransomware attacks, files were not encrypted but were exfiltrated. Ransom demands followed, accompanied by threats of making the stolen data public.
- Vulnerability: The intrusion was facilitated by a previously uncharted vulnerability – a pre-authentication command injection flaw in the GoAnywhere platform.
Data Compromised
- Affected Individuals: Those associated with CHSPSC affiliates. A smaller subset of employees and other individuals also had their information compromised.
- Nature of Data: The breach exposed:
- Full names
- Addresses
- Medical billing details
- Insurance data
- Medical records including diagnoses and medications
- Demographics like birth dates and Social Security numbers
Post-Incident Actions & Precautions
- Immediate Response: Fortra reacted swiftly by taking the compromised platform offline and initiated the process of rebuilding the GoAnywhere system with added security protocols.
- Security Measures: A vulnerability patch was launched on February 6, 2023. CHSPSC also fortified its defenses by integrating additional security measures.
- Notifications: Community Health Systems planned to dispatch notification letters to all affected individuals in mid-March.
- Protective Measures: Impacted parties are being offered complimentary identity restoration and credit monitoring services for a duration of 24 months.
- Cooperation with Authorities: Community Health Systems is actively assisting pertinent agencies, including law enforcement, CISA, and the FBI, in their investigations.
- Public Records & Reports: The incident has been officially logged with the HHS’ Office for Civil Rights, which indicates 962,884 individuals were affected.
10. CentraState Healthcare System Faces Data Breach Affecting Hundreds of Thousands
Incident Occurrence and Discovery
CentraState Healthcare System, based in Freehold Township, NJ, encountered unauthorized network intrusion in December 2022. The unusual system activity was noticed on December 29, and immediate action was executed to isolate the network and restrict unauthorized access.
Scope and Nature of the Breach
After the discovery of unusual activity, CentraState collaborated with the Federal Bureau of Investigation and independent cybersecurity specialists to discern the extent and the particulars of the breach. The in-depth analysis revealed that unauthorized entities did indeed exfiltrate a copy of an archived database containing a wealth of protected health information of patients.
Data Compromised
The exposed database encompassed names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers, and patient account numbers. It also contained specific data regarding care received at CentraState, including date(s) of service, physician names, departments, treatment plans, diagnoses, visit notes, and prescription information.
Resolution and Response
CentraState embarked on a mission to enhance the security protocols surrounding its electronic systems continually. To mitigate the impact of the breach on affected individuals, CentraState began sending notification letters on February 10, 2023, offering complimentary credit monitoring and identity theft protection services to individuals whose Social Security numbers were exposed. They pledged to continue to strengthen their security protocols and implement additional safeguards to ward off future attacks.
Total Affected
This data breach has been reported to the HHS’ Office for Civil Rights as impacting 617,901 individuals.
Implications
The breach underscores the persisting vulnerability of healthcare systems and the extensive damage that can ensue when such rich repositories of sensitive information are compromised. It reinforces the need for heightened security measures and continual vigilance in the healthcare sector to protect patient data from unauthorized access and potential misuse.
11. Unauthorized Access to Advanced Medical Management Network Exposes Sensitive Consumer Data Affecting Almost 41,000 Individuals
Background
On June 29, 2023, Advanced Medical Management, LLC (AMM) filed a notification of a data breach incident with the Attorney General of Montana. The breach revolved around segments of the company’s IT network, which had been designed and maintained by third-party vendors. These portions were accessed without authorization, thereby compromising sensitive consumer data.
Details
The unauthorized party gained access to a multitude of consumer information, encompassing names, Social Security numbers, addresses, email addresses, phone numbers, dates of birth, driver’s license numbers, protected health information (PHI), and health insurance data. The first hint of irregular activity was flagged by AMM on May 11, 2023, with the unauthorized access occurring between May 10 and May 13, 2023.
Cause
While a comprehensive understanding of the breach’s root cause is still awaited, the available details suggest that the systems infiltrated were developed and maintained by third-party vendors. AMM’s immediate actions following the discovery were to inform law enforcement and initiate an internal investigation. The goal was to comprehend the breach’s extent and determine if any confidential information was compromised. The investigation verified unauthorized access to specific databases containing PHI, with some files containing vast swaths of personal consumer information.
Steps Taken
After understanding the extent and nature of the breach, AMM meticulously reviewed the affected files to pinpoint exactly what data was compromised and which consumers were impacted. As a gesture of responsibility and transparency, on June 29, 2023, AMM started dispatching data breach notification letters to all affected individuals, enlightening them about the specific nature of their compromised data.
Implications
Given that AMM is a prominent player in offering support services to healthcare providers, the breached data potentially places countless victims at an elevated risk of identity theft and various fraud types. To address this, AMM is encouraging affected individuals to consult with data breach lawyers to discern the best steps forward, both for protection and to understand their legal rights.
About the Company
Baltimore, Maryland-based Advanced Medical Management, LLC is a renowned healthcare services firm. The company extends its management services to healthcare entities spanning Maryland, Delaware, Virginia, and Pennsylvania. It oversees several practices, including Multi-Specialty HealthCare, Injury Care Center, and Tri County Pain Management Centers, which have recently amalgamated to establish Excelsia Injury Care. It’s pivotal to clarify that Advanced Medical Management, LLC bears no connection to Advanced Medical Management, Inc., situated in Long Beach, California.
12. Security Breach Targets Imagine360’s Third-party File-sharing Platforms impacting 130,000 individuals
Background
Imagine360, a firm associated with processing claims related to health insurance plans, has recently detected a security incident. The breach targets third-party platforms used by the company for file sharing and exchange purposes.
Details
On January 30, 2023, Imagine360 noticed peculiar activity in Citrix, a third-party platform utilized for secure file exchanges regarding self-insured health plans. The platform, which is hosted externally from Imagine360’s environment, prompted the company to immediately revoke access, reset all passwords, and ascertain the security of its environment. Shortly afterward, on February 3, 2023, a notification from Fortra, another third-party platform’s vendor, informed Imagine360 of a distinct data security breach. An unauthorized actor reportedly copied data from multiple organizations, including Imagine360, housed within this platform.
Cause
A deeper investigation revealed that files were illicitly copied from both the Citrix and Fortra platforms between January 28 and January 30, 2023. The culprits and motives behind these breaches remain unclear.
Steps Taken
Reacting swiftly, Imagine360 collaborated with Fortra to shed more light on the incident, given that Fortra’s platform is also externally hosted. Parallelly, an internal investigation by Imagine360 was conducted to establish a comprehensive understanding of the extent and specifics of the breaches. As a result of these combined findings, the company has reported the incidents to federal law enforcement and intends to alert state and federal regulators.
In a bid to further ensure the security of the data they manage, Imagine360 has suspended the use of Fortra’s platform. The company has also added extra layers of security by reinforcing existing policies, processes, and security measures.
Implications
The compromised data spans names, medical details, health insurance data, and Social Security Numbers. Understandably, such a breach can lead to grave consequences, such as identity theft and financial fraud.
Recommendations
Emphasizing the importance of vigilance, Imagine360 urges all potentially affected individuals to be on the lookout for any signs of identity theft or fraud. Reviewing account statements, explanations of benefits, and monitoring credit reports for any suspicious activities are some immediate steps to consider. The company has also provided a detailed guide titled “Steps Individuals Can Take To Protect Personal Information” for further assistance.
For Further Queries
Acknowledging the potential concerns of affected individuals, Imagine360 has set up a dedicated call center for addressing any related questions. They can be reached at (888) 220-5801 from Monday to Friday, between 6 a.m. and 6 p.m. Pacific Time (excluding U.S. holidays).
Closing Remarks
While regretting the inconvenience caused by these security lapses, Imagine360 remains committed to upholding the utmost standards of data privacy and security for all its stakeholders.
13. Phoenician Medical Center Suffers a Significant Data Breach Affecting Thousands Affects Up to 162,500 Patients
Background
On July 5, 2023, the Phoenician Medical Center, Inc. (PMC) – which includes Phoenix Neurological & Pain Institute and Laser Surgery Center – reported a significant breach of patient data security. The breach has prompted the center to notify the U.S. Department of Health and Human Services Office for Civil Rights, suggesting severe implications.
Details
PMC’s notice to the authorities stated that an unauthorized entity accessed, and possibly extracted, vital patient information. The sensitive data that may have been compromised includes patient names, birth dates, contact details, demographic profiles, state identification numbers, and comprehensive health records, including diagnosis and treatment data.
Cause
Although the complete details of the breach are yet to be publicized, PMC has shared some preliminary findings. According to their report, they first became aware of the issue on March 31 when they noticed disruptions in their systems. In response to this disruption, they quickly secured their systems and initiated a thorough investigation.
The internal probe by PMC verified that an unauthorized party gained access to their IT infrastructure. It was later established that some of the potentially accessed files contained private information of patients who sought treatment from 2016 to 2023.
Steps Taken
Following the realization of the breach, PMC took immediate steps to assess the extent of the damage. They meticulously reviewed the compromised files to determine the nature of the exposed data and identify the affected individuals. On July 5, 2023, the medical center commenced the process of sending out notification letters to those impacted by the breach.
Implications
Patients of PMC should be vigilant, given the range of information that might have been exposed. With the breached data encompassing several personal details and medical histories, the affected individuals are at a higher risk of identity theft and other associated cybercrimes.
Recommendations
PMC urges those who received the breach notification to understand the gravity of the situation. It’s crucial to recognize the potential risks and explore measures to minimize the chances of identity theft or fraud. Engaging with a data breach lawyer can offer guidance on self-protection and elucidate any legal options available in light of the breach at Phoenician Medical Center.
About Phoenician Medical Center, Inc.: Situated in Chandler, Arizona, PMC is a prominent healthcare provider. It comprises various departments like Phoenician Primary Care, Phoenician Neurological & Pain Institute, Phoenician Vein & Vascular, Phoenician Cardiology, and Desert Laboratories. With over 20 establishments, PMC caters to more than 140,000 patients. The healthcare giant employs over 350 professionals and boasts an impressive annual revenue of approximately $10 million.
Closing Remarks
As more details about the breach emerge, PMC’s commitment to patient data security will undoubtedly be under scrutiny. The incident serves as a sobering reminder of the ever-present threats to data privacy in the healthcare sector.
14. Precision Anesthesia Billing Data Breach Affects Over 209,000 Individuals
Report Date: Not specified
Source: Precision Anesthesia Billing, LLC (“PAB”)
Background: Precision Anesthesia Billing, LLC, on July 7, 2023, formally informed the U.S. Department of Health and Human Services Office for Civil Rights about a concerning data security incident. The breach led to unauthorized access to the confidential information of the patients under the care of the company. Precision Anesthesia Billing has subsequently initiated the process of notifying the affected individuals about the breach.
Details: Based on the available information, it’s evident that unauthorized parties had access to critical personal details. The compromised data includes patients’ names, Social Security numbers, demographic data, health insurance details, and other protected health information.
Cause: The exact origin or how the breach happened is still being unveiled, but from PAB’s official report, the breach was attributed to a Hacking/IT Incident, specifically targeting one of PAB’s primary network servers. The breach has had a significant impact, with an estimated 209,200 individuals being affected.
On a related note, Athens Anesthesia Associates, which avails certain services from PAB, issued a public notice on July 13, 2023. The notice discussed a breach at Precision Anesthesia Billing. While it hasn’t been explicitly confirmed, this notice seems to be referring to the same incident involving PAB.
According to the data gathered from the notice, PAB discerned a potential breach sometime before May 11, 2023. Reacting swiftly to this discovery, they fortified their network, contacted law enforcement, and employed third-party data security specialists to delve into the nature of the incident. It was revealed from the PAB’s investigation that unauthorized actors likely infiltrated and exfiltrated specific files from PAB’s network during May 4-7, 2023. Subsequent analysis found out that these files contained sensitive patient data.
Steps Taken: On recognizing the magnitude of the breach, Precision Anesthesia Billing scrutinized the affected files to gauge the depth of the breach and identify the victims. Once they understood the extent of compromised information, they filed an official notice on July 7, 2023, with the U.S. Department of Health and Human Services Office for Civil Rights. Companies usually issue data breach letters around the same period, which gives victims a clearer idea of the compromised data pertinent to them.
Implications: Individuals affected by this breach face significant risks given the nature of the data that has been potentially accessed. They are at heightened risk of identity theft, fraud, and other cyber-related crimes.
Recommendations: For those notified about the breach, it’s crucial to understand the associated risks. Taking preventative measures and being vigilant can minimize potential threats. Engaging with a data breach lawyer can offer more tailored advice and potential legal steps in light of the Precision Anesthesia Billing data breach.
Closing Remarks: With the breach at Precision Anesthesia Billing, LLC, patients’ trust in medical data security is once again shaken. This incident emphasizes the increasing necessity for strengthened data protection measures across the healthcare sector.
15. PBI Data Breach Affects 16 Million Retirees
Background
The Tennessee Consolidated Retirement System (TCRS) had previously reported a data breach in June, which was facilitated through MOVEit, a file transfer software utilized by their vendor, Pension Benefits Information (PBI). While TCRS has clarified that this breach did not originate within their systems, the impact of the breach was global, affecting over 16 million retirees.
Details
The data that was exposed in this breach comprises retirees’ names, social security numbers, birth dates, and mailing addresses. Thankfully, no banking or payment data was compromised.
The breach was not limited to just Tennessee, as it had a worldwide effect. Despite this, TCRS has assured that their Self-Service platform was untouched by the breach, and they have initiated collaboration with law enforcement regarding this matter.
To ameliorate the situation, PBI has proposed an offer to affected retirees, granting them access to credit monitoring and identity restoration services. The particulars of this proposal are expected to be conveyed to retirees through a letter from PBI.
Timeline
- In June: The data breach occurs.
- June 28: TCRS sends out a letter to retirees informing them about the breach.
- July 15: Original expected date for PBI to dispatch the letters.
- Week of August 1: Updated timeline for when PBI began sending the letters.
Steps Taken
- TCRS has embarked on a partnership with law enforcement to investigate and manage the fallout of the breach.
- PBI has undertaken the process of providing credit monitoring and identity restoration services to the affected retirees. The details regarding the same are to be dispatched via mail.
- Due to the sheer scale of the breach, PBI has faced delays in sending out unique codes and verifying mailing addresses for each impacted member.
- As per TSEA’s communication with TCRS, the letters dispatched by PBI will contain all necessary information for signing up for credit monitoring, and the service will be active for 12 months, starting from the day of registration.
Implications
Affected individuals are at a heightened risk of identity theft and fraud, considering the nature of data that was potentially accessed.
Recommendations: While awaiting the letter from PBI, TSEA advises retirees to:
- Regularly scrutinize their accounts and credit histories.
- Report any suspected cases of identity theft or fraud to local police.
- Seek information on how to fortify their identities by visiting the Federal Trade Commission’s dedicated page on identity theft: https://consumer.ftc.gov/features/identity-theft
- Stay updated by checking TCRS’s website for any new information: https://treasury.tn.gov/Retirement/Retire-Ready-Tennessee/for-Retirees
Closing Remarks
This breach serves as a potent reminder of the inherent vulnerabilities associated with digital data transfer and storage systems. It is crucial for institutions to adopt stringent data protection measures and for individuals to remain vigilant, ensuring their personal information remains uncompromised.
In Closing: Navigating a Digital Minefield
The recent spate of breaches across multiple healthcare entities underscores the critical importance of robust data security in our increasingly digital age. As cyber-attack methodologies evolve, so too must the defensive mechanisms of institutions, especially those safeguarding sensitive patient data. The vulnerabilities exploited range from third-party vendor weaknesses to direct hacking attempts and even physical theft. This emphasizes that data security is a multi-faceted challenge that requires holistic solutions.
One glaring insight from these incidents is the invaluable nature of healthcare data. Names, contact details, social security numbers, and health information are prime targets for malicious actors, offering avenues for identity theft, fraud, and more. This makes healthcare institutions and by extension their patients, disproportionately vulnerable.
However, it’s heartening to see that the affected organizations have been proactive in responding to these breaches, be it through investigations, involving regulatory bodies, or notifying impacted individuals and offering support. These reactions, while commendable, also highlight the need for preemptive action. As the saying goes, “prevention is better than cure,” and in the world of cyber-security, this rings especially true.
It’s imperative for institutions to understand that data security is a continuous process of adaptation and improvement. Regular security audits, employee training, stringent vendor vetting, and updated IT infrastructures are not just recommended but essential.
Furthermore, individuals must also be aware and vigilant. As end-users, understanding the risks, recognizing potential threats, and being proactive in safeguarding personal data can go a long way in complementing institutional security measures.
As we navigate this digital era, one thing is clear: data breaches, unfortunately, are a part of the landscape. However, with collective vigilance, adaptability, and a commitment to robust security measures, we can hope to stay a step ahead of potential threats, ensuring our personal data remains just that – personal.
