Database Misconfiguration at Delaware Department of Health and Social Services
The Delaware Department of Health and Social Services, Division of Developmental Disabilities Services (DDDS) has just learned a misconfiguration happened during the creation of new user accounts for the customer database of the division. Because of the misconfiguration, the records of 7,074 persons became accessible.
DDDS discovered the misconfiguration on August 23, 2022. According to the investigation, the 159 new user accounts created allowed access to service recipients’ personal, identifiable information (PII) and protected health information (PHI), along with even more specific information. There were 12 instances where users actively accessed the records, however, even more records were potentially passively accessed. It cannot be determined how many files had been passively viewed. Therefore, DDDS decided to inform all 7,074 persons and offer them free credit monitoring services for one year.
DDDS has taken steps to enhance security to avoid the same misconfigurations down the road. The lessons realized from what happened will be implemented in the new customer data management system that is presently being built and will be enforced in 2023.
Hacking Incident at Country Doctor Community Clinic, WA
On October 19, 2022, Country Doctor Community Clinic located in Seattle, WA announced that hackers had acquired access to its digital account and viewed and possibly got files that contain the protected health information of 38,751 patients.
On October 6, 2022, odd activity was seen in its computer systems. The clinic took immediate action to secure its IT systems and stop further unauthorized access. Third-party cybersecurity specialists were hired to investigate the incident and determine the nature and scope of the attack. An analysis was performed to know the types of information that were exposed, then updated contact details were obtained for affected individuals. That process was finished on October 14, 2022.
Country Doctor Community Clinic stated names, dates of birth, addresses, Social Security numbers, and other PHI were likely compromised. Credit monitoring and identity theft protection services are being offered to individuals whose Social Security numbers were exposed. Steps have also been taken to improve security to prevent similar breaches in the future.
Hacking Incident Reported by Riverside Medical Group, NJ
Adult medical practice Riverside Medical Group serves patients in Northern New Jersey. It recently discovered that hackers obtained access to an old server at its clinic based in West Orange. It’s possible that the attackers viewed or stole files with patient data. The hacked server belonged to a company that utilized it to keep immunization information. No other systems were affected by the hacking.
Riverside Medical Group mentioned the breach was discovered on August 3, 2022. The evaluation of files found on the server revealed that they included the PHI of 12,499 individuals, including name, address, email address, date of birth, gender, phone number, immunization data, dates of immunizations, provider information, health plan data, and in some instances, Social Security number. Riverside Medical Group stated it doesn’t know of any actual or attempted misuse of patient data.