The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Tift Regional Medical Center Patients Notified About August 2022 Cyberattack

Posted By on Aug 15, 2023

Tift Regional Medical Center in Georgia has started notifying 180,142 patients that their personal and protected health information was compromised in a cyberattack that was detected on or around August 16, 2022. According to the notification letters, there was no encryption of systems, access was not gained to its electronic medical record system, and the network remained available to staff and patients. The forensic investigation of the incident indicated files “were or may have been accessed or copied without authorization between August 11, 2022, and August 17, 2022.” The attack was conducted by the Hive ransomware group, which was the subject of a law enforcement takedown in January 2023. The Hive group claimed to have stolen 1TB of data in the attack, some of which was released on its data leak site.

The affected patients were informed that the files contained names, dates of birth, Social Security numbers, and medical information. Complimentary credit monitoring services have been offered for 12 months. The HIPAA Breach Notification Rule requires notifications to be issued within 60 days of the discovery of a data breach, and the HHS was notified on time (October 14, 2022). A provisional total of 500 records was reported as it was not known at the time how many individuals had been affected. Individual notifications are also required in that same time frame. Tift Regional Medical Center did not explain in the notification letters why there was a delay in sending the notification letters.

Health Plan Member Data Compromised in Ransomware Attack on the City of Dallas

The city of Dallas suffered a ransomware attack on May 3, 2023, that impacted several of its websites and IT systems. Online services were offline for several days with some IT systems across its network down for several weeks following the attack. The city has reportedly paid at least $8.6 million for hardware, software, incident response, and consulting services in response to the Royal ransomware attack. The city has recently notified the HHS’ Office for Civil Rights that the protected health information of 30,253 members of its self-insured group health plans had their data stolen in the attack, including names, addresses, social security numbers, and medical and health information.

Confirmed MOVEit Transfer Hacks by the Clop Hacking Group

The following HIPAA-regulated entities have recently confirmed that they were affected by the MOVEit Transfer hacks by the Clop group in late May 2023. A zero day vulnerability was exploited in Progress Software’s file transfer solution, data was stolen, and ransom demands were issued.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

United Healthcare Services, Inc., MN.

Individuals affected: 398,319

Attacked entity: United Healthcare Services.

Information compromised: name, date of birth, address, phone number, email address, plan identification number, policy information, student identification number, Social Security number or national identification number, and claim information, including claim numbers, provider information, dates of service, diagnosis codes, prescription information, and financial information associated with claims.

Credit Monitoring: Norton LifeLock credit monitoring and identity theft protection for 24 months.

VNS Health Plans, NY

Individuals affected: 103,775

Attacked entity: VNS Health Plans’ claims processing vendor, TMG Health Inc.

Information compromised: name, mailing address, telephone number, email address, date of birth, social security number, member ID, Medicare and/or Medicaid number, benefit and subsidy information, billing information, medical claims information, healthcare provider name and specialty, and dates of service.

Credit Monitoring: Personal Identity and Privacy Protection through IDX for 12 months.

Vecino Health Centers, TX

Individuals affected: No information at this stage.

Attacked entity: Harris Health.

Information compromised: name, date of birth, prescription date(s).

Credit Monitoring: Not stated in the substitute breach notice.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist