The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Evergreen Treatment Services Hacking Incident Affects 21K Patients

Posted By on Mar 2, 2023

Evergreen Treatment Services, a Washington-based provider of addiction treatment services, announced on February 13, 2023, that unauthorized individuals gained access to its IT systems and potentially accessed patient information, including names, addresses, birth dates, Social Security numbers, and treatment information.

A third-party cybersecurity firm assisted with the investigation but found no instances of fraud or identity theft; however, as a precaution, the 21,325 affected patients have been offered complimentary credit monitoring and identity theft protection services. Evergreen Treatment Services did not state in its breach notice when the incident was detected, for how long the hackers had access to its network, or any information about the nature of the attack. Data security policies have been enhanced in response to the breach to prevent similar incidents in the future.

Data Stolen in Cyberattack on Texas Orthopaedics and Sports Medicine

Tomball, TX-based Texas Orthopaedics and Sports Medicine (TOSM) has confirmed that an unauthorized third party gained access to its network and removed files from its systems which included names, driver’s license numbers, and medical information. The attack was detected on November 28, 2022, when suspicious activity was identified within its network. The forensic investigation revealed the hackers had access to the network between November 22 and November 29. TOSM said it learned that patient information was compromised on February 10, 2023, and notifications were sent to the 1,023 affected individuals on February 23. TOSM said steps are being taken to improve security and further training has been provided to employees. Affected individuals have been offered one year of credit monitoring services.

Sentara Healthcare Patient Data Exposed Online

Norfolk, VA-based Sentara Healthcare, a not-for-profit healthcare provider serving patients in Virginia and northeastern North Carolina, has recently notified 741 patients that some of their protected health information has been exposed online. Sentara Healthcare was tipped off about the exposed data by an anonymous individual who stumbled across a PDF file online while searching for information on how to convert PDF files to a different format. An individual had uploaded a Medicare remittance document to an Adobe Acrobat website that contained the data of Sentara Healthcare patients.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Sentara Healthcare confirmed that the PDF file was still online and had been uploaded on October 17, 2022. The name of the individual who uploaded the file was found, and Sentara Healthcare confirmed it was an employee of Coronis Health, a business associate that provides billing-related services for lab services. Coronis Health was notified about the exposed data on December 19, 2022, and removed the file on December 20. Coronis Health provided further training to its entire team in response to the error. The file contained patient names, Medicare ID numbers, dates of service, CPT codes, location of service, the last 4 digits of account numbers, and outstanding balances. Credit monitoring services have been offered to affected individuals.

Email Account Compromised at Compass Behavioral Health

On February 28, 2023, Garden City, KS-based Compass Behavioral Health notified 537 patients about a security breach that exposed a limited amount of their personal and health information. On or around December 13, 2022, Compass learned that an employee email account and associated OneDrive account had been compromised. The forensic investigation determined the account contained a spreadsheet that included a list of incident reports maintained by Compass for recording breaches of procedure, injuries, accidents, and unusual occurrences. The spreadsheet included information such as names, addresses, dates of birth, dates of death, location of treatment, medical record numbers, information related to medical incidents, limited medical information, and medication information. Credentials were changed in response to the breach and multi-factor authentication was implemented. There have been no reports of actual or attempted misuse of the exposed information.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist