Data Breach at Weirton Medical Center in West Virginia
Weirton Medical Center based in West Virginia discovered suspicious activity inside its computer system on January 18, 2024. After securing the systems promptly, third-party cybersecurity professionals helped investigate the incident and confirmed the unauthorized access to the system from January 14, 2024 to January 18, 2024, and the extraction of files from its systems.
The data affected was different from person to person and possibly contained at least one of these data: name, birth date, medical data, medical insurance data, treatment details, Social Security number, and the amount owed on medical charges. Although files were reported as having been removed from the network, Weirton Medical Center did not receive any information on patient data misuse. Weirton Medical Center stated that rigid security measures were already in place but they were improved to avoid the same occurrences down the road. Notification letters had been sent to the impacted persons on March 18, 2024. The incident was reported to the HHS’ Office for Civil Rights indicating that 26,793 individuals were affected as required by HIPAA.
Plymouth Tube Company Data Breach Impacts 2,652 Individuals
Plymouth Tube Company based in Warrenville, IL detected unauthorized access to its computer system. Upon investigation, it was revealed that unauthorized access occurred from January 27, 2024 to January 29, 2024. At that time, the threat actor viewed or stole files that contained employee benefit plan information.
The analysis of the breached files showed that 2,652 present and previous workers and their dependents were impacted. At least one of the following data of the employees was compromised: name, birth date, driver’s license number, Social Security number, and plan data. The impacted persons were informed on March 13, 2024, and free credit monitoring and identity theft protection services were offered.
KMJ Health Solutions Data Breach Impacted 2,191 Individuals
KMJ Health Solutions based in Michigan, an online signout and charge capture systems provider, reported a PHI breach affecting 2,191 people. On November 19, 2023, KMJ Health Solutions discovered unauthorized access to the server hosting its eDocList system. The attacker likely acquired the information of some clients and deployed ransomware to encrypt files. The threat actor initially accessed the system on July 1, 2023. KMJ Health Solutions sent notifications to the impacted clients on or about January 11, 2024.
One client affected by the data breach was Saint Joseph’s Medical Center based in New York. The data likely exposed included names, birth dates, diagnoses, lab results, dates of service, names of providers, medical record numbers, prescription drugs, and/or treatment data. Saint Joseph’s sent notifications to the impacted individuals on March 4, 2024, and mentioned that it stopped using KNJ Health Solutions. Whenever business associates encounter data breaches, the business associate, their covered entity clients, or both may issue notification letters. It is thus uncertain at this point how many people were impacted.
Lake of the Woods County Social Services Ransomware Attack
Lake of the Woods County Social Services in Minnesota submitted a data breach report that has impacted people served by the County Social Services Department as well as their family members. On November 14, 2023, the County’s cybersecurity programs noticed and stopped a ransomware attack. Although file encryption was held back, the forensic investigation affirmed the unauthorized access to its systems and data theft from November 14 to November 15, 2023.
The County received a ransom demand but declined to pay as per FBI advice. As a result, some stolen information was published on the dark web. The exposed information included names, along with a number of the following data: address, birth date, driver’s license number, Social Security number, financial account data, payment card details, data linked to medical problems, treatment or diagnosis, prescription drugs, names of healthcare companies, data associated with services individuals get from the County Social Services Department, like dates of service, locations of service, client ID number or unique identifiers associated with services offered, insurance ID number, and/or insurance data. For some individuals, the data contained username(s) and password(s) utilized to view online accounts, and/or mental health reports. The breach report was submitted to the HHS’ Office for Civil Rights indicating that 537 individuals were affected.