Cyberattack on Columbus Regional Healthcare System, Aria Care Partners, and Coastal Hospice & Palliative Care

133K Records Exposed at Columbus Regional Healthcare System

Columbus Regional Healthcare System in Whiteville, NC, submitted a report to the Maine Attorney General concerning a cybersecurity incident that resulted in patient data theft. Unauthorized persons got access to its system from May 19, 2023 to May 21, 2023, and files were extracted from its system during this time.

The file analysis was done on December 28, 2023, and breach notifications were sent by mail to the impacted persons. The c0mpromised data differed from person to person and might have contained names along with at least one of these data: Social Security number, birth date, state ID number, driver’s license number, alien registration number, passport number, financial account data, medical data (date(s) of service, treatment/diagnosis details, patient account number, medical record number, and/or prescription details) and/or medical insurance policy details.

The Breach Notification to the Maine Attorney General shows 132,887 persons were impacted. The healthcare system did not receive any evidence that suggest actual or attempted data misuse. As a preventative measure against identity theft and fraud, those whose Social Security numbers were exposed received free credit monitoring services. Columbus Regional Healthcare stated it had enforced safety measures to secure against unauthorized access and regularly assesses and changes its procedures and internal controls to improve the security and privacy of personal data.

Senior PsychCare Informs 75,000 Patients About Data Breach in December 2022

The PHI of 75,000 patients of Psychological Holdings, PLLC based in Texas, also known as Senior PsychCare (SPC), was exposed in a security breach last December 2022. Based on the breach notification letters, some unauthorized persons accessed its system from December 13, 2022 to December 22, 2022.

Senior PsychCare hired third-party cybersecurity experts to carry out a forensic investigation and a manual analysis of all files that the attackers accessed on its network. That evaluation process finished on November 20, 2023, and revealed that the compromised data included names, Social Security numbers, addresses, health data, and medical insurance data.

Senior PsychCare stated it did not receive any report that patient data was misused and has provided the impacted persons with free credit monitoring services as a safety measure. SPC stated it had cybersecurity procedures set up to safeguard against unauthorized access of data and regularly assesses and changes its procedures and internal controls to improve the safety and privacy of personal information.

Ransomware Attack on Primary Health & Wellness Center in October 2023

Primary Health & Wellness Center based in Baltimore County, MD advised 4,792 persons about the potential exposure of some of their PHI because of a ransomware attack that was discovered on October 20, 2023. The substitute breach notice mentioned that the compromised server held the health information of patients since 2018, which contained names, birth dates, addresses, medical data, and Social Security numbers. The forensic investigation found no proof that suggests data was extracted from the server prior to file encryption. Usually, threat actors that utilize Phobos ransomware aren’t identified to extract information, but data theft cannot be ruled out.

Although data theft is not considered to have happened, the impacted patients were instructed to keep track of their credit reports and account statements for possible fraudulent transactions and to report them to the proper authorities immediately. Primary Health & Wellness Center mentioned it is serious about its responsibilities under the Maryland Confidentiality of Medical Records Act and HIPAA and truly feels sorry for the breach and resulting inconvenience.

PHI Compromised Because of the Cyberattack on Coastal Hospice & Palliative Care

Coastal Hospice & Palliative Care based in Salisbury, MD, has reported that it encountered a cyberattack on July 24, 2023, that disrupted its network server. Cybersecurity professionals investigated the attack and stated that its system was accessed by unauthorized persons. All files on the system that were compromised were analyzed and that procedure was done on November 20, 2023. The healthcare provider mailed notification letters to the impacted people on January 22, 2023.

The breached data that may have been stolen contained names, medical diagnosis data, medical insurance policy numbers, doctor or medical facility data, medical problem or treatment details, patient account numbers, birth dates, and Social Security numbers. The incident was reported to the proper government bodies, however, it is not presently posted on the HHS’ Office for Civil Rights breach website, therefore it is uncertain how many persons were impacted.

Cyberattack on Aria Care Partners in May 2023

Aria Care Partners based in Overland Park, KS, has revealed a cybersecurity incident that happened in May 2023. As per the forensic investigation, its vision file server was accessed without unauthorization. A detailed review was done of all records on the server which was finished in December 2023. It was confirmed that files containing patient names, birth dates, driver’s license numbers, Social Security numbers, diagnosis, treatment details, and medical insurance data were exposed.

The affected persons received notification letters by mail on January 19, 2024. The impacted persons were also provided with free credit monitoring and identity theft protection services, including a $1 million identity theft insurance plan, identity theft recovery, and dark web monitoring services.

The breach was reported to the proper authorities, however, it isn’t presently posted on the HHS’ Office for Civil Rights breach website, thus it is uncertain how many persons were impacted.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone