Protected Health Information Exposed in 5 Recent Hacking Incidents
Florida Medical Clinic, NorthStar Emergency Medical Services, Denver Public Schools, Wichita Urology Group, and The Bone & Joint Clinic have recently reported hacking incidents and the exposure and potential theft of protected health information.
Florida Medical Clinic
Florida Medical Clinic has recently announced that it was the victim of a ransomware attack. The attack was detected on January 9, 2023, and prompt action was taken to contain the attack, which limited data exposure, although files were encrypted. The third-party forensic investigation confirmed the attacker accessed files that contained patients’ protected health information; however, its electronic medical record system was not affected.
In a refreshingly detailed breach notice, Florida Medical Clinic explained that 94,132 files had been exposed, each of which only contained limited patient information. 95% of the compromised files only included an individual’s name. The remaining files included names, phone numbers, email addresses, birth dates, and addresses. No financial information was compromised, and only 115 Social Security numbers were exposed.
Florida Medical Clinic said evidence was obtained of all stolen files being permanently deleted, which indicates the ransom was paid. No evidence of misuse of patient data has been uncovered. All affected patients have been notified and additional cybersecurity measures have been implemented to prevent further attacks, including replacing certain system components and changing remote access protocols.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The HHS’ Office for Civil Rights breach portal indicates 94,132 individuals were affected.
The Bone & Joint Clinic in Wisconsin
The Bone & Joint Clinic, which operates 7 clinics in Wisconsin, has recently notified current and former employees and patients about a cyberattack that was detected on January 16, 2023, which caused network disruption. According to the notification letters, unauthorized individuals potentially accessed and acquired files containing information such as names, addresses, phone numbers, birth dates, Social Security numbers, health insurance information, and diagnosis and treatment information.
Affected individuals were notified on March 7, 2023, and offered 12 months of complimentary credit monitoring and identity theft protection services. The incident has been reported to the HHS’ Office for Civil Rights as affecting 105,094 individuals.
NorthStar Emergency Medical Services
Tuscaloosa, AL-based NorthStar Emergency Medical Services has recently reported a data breach that has affected up to 82,450 patients. According to the notice sent to the Maine Attorney General, suspicious activity was detected within its computer network on September 16, 2022; however, it took until March 8, 2023, to determine that patient data had been exposed. The breach notice did not state when the attackers first gained access to its network.
The affected files contained information such as names, Social Security numbers, birth dates, patient ID numbers, treatment information, Medicare/Medicaid numbers, and health insurance information. Notification letters were sent to affected individuals on March 14, 2023. Complimentary credit monitoring and identity theft protection services have been offered to affected individuals and steps have been taken to harden security.
Denver Public Schools
Denver Public Schools has recently announced that unauthorized individuals gained access to some of its servers and exfiltrated files that contained sensitive employee data. Data theft was discovered on January 4, 2023, and the forensic investigation confirmed unauthorized individuals had access to its network between December 13, 2022, and January 13, 2023.
The document review revealed the affected files included names, Social Security numbers, fingerprints (if on file), bank account numbers/pay card numbers, student ID numbers, driver’s license numbers, passport numbers, and some health plan enrollment information. The breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 35,068 current and former participants in its employer-sponsored health plan. It is unclear how many students were affected by the data breach. Denver Public Schools said additional security measures have been implemented to prevent similar breaches in the future. Credit monitoring and identity theft protection services are being offered to affected individuals.
Wichita Urology Group
Wichita Urology Group in Kansas has recently notified 1,493 individuals that unauthorized individuals gained access to its network and potentially viewed or obtained files containing names, prescription information, billing information, and health insurance information.
Suspicious activity was detected within its network on January 3, 2023, with the forensic investigation confirming the intrusion occurred on January 2. The forensic investigation confirmed on January 26, 2023, that protected health information had been exposed; however, there has been no detected misuse of patient data. Technical security measures have been enhanced to prevent further attacks.
