Evergreen Treatment Services Hacking Incident Affects 21K Patients
Evergreen Treatment Services, a Washington-based provider of addiction treatment services, announced on February 13, 2023, that unauthorized individuals gained access to its IT systems and potentially accessed patient information, including names, addresses, birth dates, Social Security numbers, and treatment information.
A third-party cybersecurity firm assisted with the investigation but found no instances of fraud or identity theft; however, as a precaution, the 21,325 affected patients have been offered complimentary credit monitoring and identity theft protection services. Evergreen Treatment Services did not state in its breach notice when the incident was detected, for how long the hackers had access to its network, or any information about the nature of the attack. Data security policies have been enhanced in response to the breach to prevent similar incidents in the future.
Data Stolen in Cyberattack on Texas Orthopaedics and Sports Medicine
Tomball, TX-based Texas Orthopaedics and Sports Medicine (TOSM) has confirmed that an unauthorized third party gained access to its network and removed files from its systems which included names, driver’s license numbers, and medical information. The attack was detected on November 28, 2022, when suspicious activity was identified within its network. The forensic investigation revealed the hackers had access to the network between November 22 and November 29. TOSM said it learned that patient information was compromised on February 10, 2023, and notifications were sent to the 1,023 affected individuals on February 23. TOSM said steps are being taken to improve security and further training has been provided to employees. Affected individuals have been offered one year of credit monitoring services.
Sentara Healthcare Patient Data Exposed Online
Norfolk, VA-based Sentara Healthcare, a not-for-profit healthcare provider serving patients in Virginia and northeastern North Carolina, has recently notified 741 patients that some of their protected health information has been exposed online. Sentara Healthcare was tipped off about the exposed data by an anonymous individual who stumbled across a PDF file online while searching for information on how to convert PDF files to a different format. An individual had uploaded a Medicare remittance document to an Adobe Acrobat website that contained the data of Sentara Healthcare patients.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Sentara Healthcare confirmed that the PDF file was still online and had been uploaded on October 17, 2022. The name of the individual who uploaded the file was found, and Sentara Healthcare confirmed it was an employee of Coronis Health, a business associate that provides billing-related services for lab services. Coronis Health was notified about the exposed data on December 19, 2022, and removed the file on December 20. Coronis Health provided further training to its entire team in response to the error. The file contained patient names, Medicare ID numbers, dates of service, CPT codes, location of service, the last 4 digits of account numbers, and outstanding balances. Credit monitoring services have been offered to affected individuals.
Email Account Compromised at Compass Behavioral Health
On February 28, 2023, Garden City, KS-based Compass Behavioral Health notified 537 patients about a security breach that exposed a limited amount of their personal and health information. On or around December 13, 2022, Compass learned that an employee email account and associated OneDrive account had been compromised. The forensic investigation determined the account contained a spreadsheet that included a list of incident reports maintained by Compass for recording breaches of procedure, injuries, accidents, and unusual occurrences. The spreadsheet included information such as names, addresses, dates of birth, dates of death, location of treatment, medical record numbers, information related to medical incidents, limited medical information, and medication information. Credentials were changed in response to the breach and multi-factor authentication was implemented. There have been no reports of actual or attempted misuse of the exposed information.