Wisconsin Dental Surgery Center Email Account Breach
Bay Oral Surgery & Implant Center (Bay Oral), a group of oral & maxillofacial dental surgery centers located in the Niagara Green Bay and Marinette communities in Wisconsin, recently submitted a data breach report to the HHS’ Office for Civil Rights (OCR) stating that the protected health information (PHI) of 13,055 patients was affected.
On February 27, 2024, Bay Oral found suspicious activity in the email account of a staff. The password for the email account was promptly altered to avoid continued unauthorized access. An independent cybersecurity agency looked into the breach. The forensic investigation affirmed that an unauthorized individual had installed a software program and obtained access to the staff email account on January 18, 2024.
The analysis of the emails and attachments revealed that patients’ PHI was compromised. The types of information affected included names, addresses, birth dates, email addresses, credit card numbers, insurance card numbers banking account data, Social Security numbers, x-rays, patient health history forms, patient visit notes, medical background questionnaires, and other types of patient health data that were revealed through email. The investigation cannot confirm whether the unauthorized person accessed or stole messages or attachments in the account.
Aside from quickly protecting the email account, Bay Oral took other steps to stop future identical incidents. They include adjusting IT organizations, enforcing a 24/7 safeguard and tracking solution, and employing new guidelines and procedures to ensure that patients’ PHI is not saved in email accounts.
Bay Oral mentioned it does not know of any report of fraud or identity theft during releasing notifications. The impacted persons were encouraged to be cautious of occurrences of fraud and identity theft by regularly looking at their credit statements, credit reports, bank accounts, and other monetary accounts for unauthorized activity.
Cyberattack on Aspire Health Alliance, Massachusetts
Aspire Health Alliance, a community behavioral health center with state-designated establishments in Quincy, Marshfield, and Braintree in Massachusetts, has informed 17,490 persons with regards to a cyberattack that was discovered on September 13, 2023. Suspicious activity was discovered inside its computer system. An independent forensic investigation showed that an unauthorized third party accessed its network and stole some files and information saved on its system.
A thorough review of the stolen files was done to know the types of information impacted. The process was finished on February 26, 2024, when it was reported that personal data and PHI were affected. The types of information differed from one person to another and might have included names, Social Security numbers, and other personal identifiers. Although information was compromised or stolen, there is no report obtained that suggests the misuse of any patient data. Free credit monitoring and identity protection services were provided to those whose Social Security numbers were affected, and extra safety measures were applied to minimize the threat of a similar occurrence later on.
PHI Of Approximately 500,000 People Exposed Due to Designed Receivable Solutions Data Breach
On March 23, 2024, the revenue cycle management firm, Designed Receivable Solutions (DRS) based in Cypress, CA, submitted a data breach report to the HHS’ Office for Civil Rights as affecting the PHI of 129,584 persons, and to the Maine Attorney General as impacting 498,686 persons.
On January 22, 2024, DRS discovered suspicious activity inside its system. Third-party cybersecurity professionals investigated the occurrence to find the reason for the activity. Based on the investigation, an unauthorized actor gained access to its systems and viewed and extracted files. On March 8, 2024, after reviewing the files in detail, DRS announced that the personal data and PHI of present and past patients of its healthcare customers were included in the breached files.
After that confirmation, DRS began working with its clients to assess and confirm the impacted data and get updated contact details to issue notification letters. DRS mentioned the types of information affected differed from one person to another and might have contained names, birth dates, addresses, Social Security numbers, medical insurance data, and dates of service. DRS has assessed its guidelines and processes associated with data privacy, is taking action to minimize the risk of the same incident happening later, and has provided the impacted persons with free credit monitoring services.
OCR recently announced in a website Q&A concerning data breach notification letters that HIPAA-covered entities should ensure notification letters are issued to the impacted persons in case of a data breach at a business associate. However, the covered entity could pass to the business associate the responsibility of sending individual notices.
DRS is issuing the breach notification letters on behalf of the covered entity clients listed below:
- AMG Healthcare Management Services
- Air Methods
- Cedars-Sinai Medical Center
- CAN Emergency Physicians
- CHA Hollywood Presbyterian Medical Center, L.P.
- Core Orthopaedics Medical Center
- GEM Physicians Group
- OptumCare Management, LLC
- Marshall Medical Center
- Ridgecrest Regional Hospital
- Redlands Community Hospital
- South Coast ER Medical Group
- Springhill Emergency Physicians
- Southland Medical Corporation
- Sycamore Physicians, LLC
- Valkyrie Clinical Trials, Inc.
- USC Arcadia Hospital (earlier called Methodist Hospital of Southern California)