Data Breaches Reported by Aveanna Healthcare, UNC Hospitals & School of Medicine, and Otolaryngology Associates

Aveanna Healthcare Email Account Breach

Home health and hospice care provider, Aveanna Healthcare based in Atlanta, GA, announced a security breach of its email environment and the exposure of the information of 65,482 patients. The healthcare provider identified anomalous activity in a staff email account on September 22, 2023. The email account was secured promptly. An investigation was launched to find out the nature of the activity, and whether patient data was exposed or stolen.

The investigation affirmed that an unauthorized third party acquired access to its email system and possibly obtained files that held patient information. Third-party professionals reviewed the affected files to identify the individuals impacted and the types of records that were probably exposed. Aveanna Healthcare completed that process on March 12, 2024, and started mailing the notification letters to the affected persons on March 15, 2024 to comply with the HIPAA Breach Notification Rule. The impacted individuals have been provided complimentary identity theft protection services.

The types of records involved varied from one person to another and might have included names along with one or more of the following: date of birth, Social Security number, driver’s license or state ID number, medical information, diagnosis, treatment details, MRN/patient identification number, incidental health reference, name of provider, health insurance information, prescription data, Medicaid/Medicare number, and treatment cost details. Aveanna Healthcare reported it did not find any proof that indicated the misuse of patient data.

UNC Hospitals & School of Medicine

UNC Hospitals & School of Medicine has announced an email account breach. A School of Medicine staff got a phishing email message from an identified and trusted contact and clicked the link in the message, thinking the message is a real communication. The staff’s email account was secured using multi-factor authentication (MFA); nevertheless, the attacker misled the staff into giving the MFA code, enabling access to the email account.

The email account breach happened on February 1, 2024, but it was identified the next day. The account was promptly secured; nevertheless, patient data in the email account is potentially viewed or stolen. Although no reports that indicate the misuse of patient data were found, UNC Hospitals is providing free credit monitoring services to people whose Social Security numbers, driver’s license numbers, financial account data, and/or medical insurance data were compromised. At this point, the number of individuals that were affected is uncertain.

Almost 317,000 Patients Impacted by Otolaryngology Associates Data Breach

A cyber threat actor attempted to extort cash from Otolaryngology Associates, an Indiana ENT specialist, after getting access to its system and extracting patient and worker information. Otolaryngology Associates stated its security system got alerts regarding a possible attack on February 17, 2024, a couple of hours after the attacker acquired access to the system. Quick action was undertaken to protect the system and prohibit the attack, and access to the system was blocked.

Three days afterward on February 20, and once more on February 21, an attacker professed to have stolen information during the attack and threatened to expose the stolen information in case no ransom was paid. Third-party forensic specialists investigated the incident and confirmed that the attacker did not manually access the system files, but used programs to exfiltrate information from the internal systems.

The forensic investigation narrowed down the information that was possibly extracted, but it cannot be known precisely what types of information were taken. The analysis of the files on the breached sections of the system showed they included the protected health information (PHI) of 316,802 persons. For most of the impacted persons, the data possibly stolen during the attack was restricted to data found in billing information, which does not contain driver’s license numbers or Social Security numbers. The compromised data was restricted to names, service codes, OA medical record numbers, date(s) of service, treating doctor names, locations of appointments, names of insurance companies, and the amount of charges in dollars.

A part of the impacted persons might have had at least one of these data compromised: driver’s license number, Social Security number, phone number, address, email address, birth date, schedule of appointment, insurance plan numbers, and/or referral forms. Impacted staff members might have had their bank account data and payroll data compromised. The personal notification letters mention the types of data that were compromised. OA Facial Plastics patients were not impacted as the attacker did not access the OA Facial Plastics systems.

Otolaryngology Associates stated it has enforced extra security measures to stop more attacks and has directed a cybersecurity company to keep an eye on the dark web for any exposure of patient information. During the issuance of notifications, no patient information was publicly published.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone