858K Individuals Impacted by Superior Air-Ground Ambulance Service Data Breach
Superior Air-Ground Ambulance Service provides ambulance and Emergency Medical Services (EMS) in Indiana, Illinois, Michigan, Wisconsin, and Ohio. It reported the exposure and theft of the protected health information (PHI) of 858,238 patients because of a cyberattack in May 2023.
The healthcare provider identified suspicious activity in its IT network in May 2023 and took immediate action to separate those systems and launched an investigation to determine the source of the activity. On June 23, 2023, there was unauthorized access to its system between May 15 and May 23, 2023, and during that time, an unauthorized actor copied files from its network.
Superior Air-Ground Ambulance Service then performed a thorough and time-intensive audit of the affected files to identify the individuals impacted and the types of data that were compromised or stolen. After that process was finished, the Superior Air-Ground Ambulance Service worked on getting up-to-date contact details to send notification letters. Due to the number of people affected, that procedure has taken considerable time; nevertheless, notification letters were mailed to the impacted persons on behalf of themselves and related affiliated covered entities and subsidiaries.
The types of information affected varied from one person to another and may have involved name, address, birth date, Social Security number, driver’s license or state identification number, financial account data, payment card details, patient record data, medical diagnosis or condition data, medical treatment details, and/or health insurance details. The impacted people have been cautioned to remain attentive against incidents of identity theft and fraud by looking at their explanation of benefits, account statements, and free credit reports. It seems that no credit monitoring and identity theft protection services were provided.
Superior Air-Ground Ambulance Service stated it has taken steps to better safeguard the privacy and security of data in its care as per HIPAA requirements. It has reviewed and revised its policies and procedures and applied extra security procedures.
Former Employee of Multnomah County Health Department Did not Return Laptop That Contains Patient Data
Multnomah County Health Department based in Portland, OR, has informed 1,092 patients of Multnomah County Health Center about the exposure of some of their PHI. On March 4, 2024, the Health Department laid off a worker who did not give back a laptop to the Health Department. When workers are terminated, their accounts including access to the network, email, electronic medical records, and clinical systems are ended. This policy was implemented with this dismissal, but the laptop that stored patient data was not returned. Although employed, the ex-employee had access to the data, although the authorization to access ended as soon as the employee was dismissed.
On April 24, 2024, the anti-malware system of the Health Department generated a notification regarding suspicious activity happening on the unreturned laptop, which implies that the employee was using the laptop. The IT team looked into the incident and confirmed that the ex-employee accessed the computer using the information for an old account and they found two spreadsheets with patient information stored on the laptop. The compromised information included names, Medicaid IDs, medical record numbers, birth dates, gender, ethnicity, race, dates of service, and clinic.
Multnomah County Health Department issued an order to remotely erase the data the next time the laptop logs onto the web. The department also notified the impacted patients regarding the incident and offered them free identity theft protection services. The inability of the employee to give back the laptop after several demands was also reported to the Portland Police Bureau. The Health Department has heightened technical standards and training regarding County-released computers to avoid the same incidents later.