The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

277,000 Santa Clara Family Health Plan Members Affected by GoAnywhere Hack

Posted By on Apr 25, 2023

Data breaches have recently been announced by Santa Clara Family Health Plan, United Steelworkers Local 286, Robeson Health Care Corporation, Two Rivers Public Health Department, and NewBridge Services.

Santa Clara Family Health Plan Confirmed as Victim of Clop GoAnywhere Hack

Santa Clara Family Health Plan has confirmed the 276,993-record data breach reported to the HHS’ Office for Civil Rights on March 30, 2023, was due to the hacking of Fortra’s GoAnywhere MFT solution by the Clop ransomware group. The group exploited a previously unknown (zero-day) vulnerability, exfiltrated data, but did not encrypt files. 130 organizations fell victim to the attacks over a 10-day period in late January/early February this year.

The incident affected NationsBenefits, which provides supplemental benefits administration services to several health plans, including Santa Clara Family Health Plan. NationsBenefits learned of the attack on February 7, 2023, and was informed by Fortra that the attack occurred on or around January 30, 2023. On February 13, 2023, NationsBenefits confirmed that the data compromised in the attack included protected health information such as name, address, phone number, gender, date of birth, health insurance number, medical ID number, Social Security number, date(s) of service, medical device or product purchased, and provider/caregiver name. NationsBenefits said it has stopped using the GoAnywhere solution and is implementing a range of additional measures to strengthen security.

United Steelworkers Local 286 Security Breach Affects Almost 38,000 Health Plan Members

United Steelworkers Local 286 has discovered an unauthorized individual gained access to an employee email account that included the protected health information of 37,965 members of its health plan. The email account breach was detected on February 13, 2023, and the forensic investigation confirmed the email account was accessed between June 16, 2022, and July 18, 2022.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

A manual document review confirmed the account contained full names, Social Security numbers, dates of birth, financial account numbers, driver’s license and/or state identification numbers, passport numbers, financial account numbers, medical treatment information, medical record numbers, biometric information, and health insurance information.

No evidence of misuse of plan member data has been uncovered; however, as a precaution against identity theft and fraud, individuals whose Social Security numbers were exposed have been offered complimentary credit monitoring services. United Steelworkers Local 286 said security measures were in place and are continually evaluated and modified to ensure the privacy and security of employee data.

Two Rivers Public Health Department Reports Microsoft 365 Account Breach

Two Rivers Public Health Department (TRPHD) in Nebraska has recently confirmed that the protected health information of 15,168 patients was stored in an employee Office365 account that was accessed by an unauthorized third party.

TRPHD said suspicious activity was detected within its server infrastructure on November 9, 2022. The initial investigation conducted by a third-party IT firm concluded that patient data had not been compromised; however, out of an abundance of caution, an external forensic investigation firm was engaged to fully investigate the security breach and confirmed that an Office 365 account was accessed by an unauthorized individual between September 14, 2022, through November 8, 2022. The review of the account confirmed it contained protected health information, although the press release issued did not state what types of information had been exposed.

TRPHD said the document review was completed on March 15, 2023, and notifications were mailed to affected individuals on April 14, 2023. Additional security measures have been implemented to better secure its systems against unauthorized access.

Robeson Health Care Corporation Discovers Malware Infection

Robeson Health Care Corporation in Pembroke (RHCC), NC, has reported a data breach to the Maine Attorney General that has affected up to 15,045 individuals. According to the notification, malware was detected within its network on February 21, 2023. The subsequent forensic investigation confirmed that an unauthorized third party had access to its systems between February 17, 2023, and February 21, 2023.

While evidence of data theft was not found, it could not be ruled out. The document review confirmed the following types of information were exposed: name, address, Social Security number, date of birth, treatment information/diagnosis, treating physician, medical record number, patient ID number, Medicare/Medicaid number, prescription information, health insurance information, and treatment costs. Notifications were mailed on April 21, 2023, and complimentary credit monitoring and identity theft protection services have been offered. Security has been enhanced to prevent similar incidents in the future, including implementing multi-factor authentication for all users.

Update: On October 9, 2023, RHCC completed a review of former patient information and concluded that the data may also have been viewed or stolen. In a supplemental breach report to the Maine attorney General RHCC said the data of 62,627 individuals was involved.

NewBridge Services Hacking Incident Affects 1,457 Individuals

The Pequannock, NJ-based counseling service provider, NewBridge Services, said an unauthorized individual gained access to its systems and potentially accessed and obtained the protected health information of 1,457 individuals. The security breach was detected on January 26, 2023, when certain systems were disrupted. The forensic investigation confirmed on January 28, 2023, that protected health information had been exposed, although no evidence was found of actual or attempted misuse of that information.

The exposed information included names, Social Security numbers, dates of birth, treatment information, provider information, prescription information, payment information, and health insurance information. Written notifications were mailed to affected individuals on April 17, 2023, and security has been augmented to prevent similar incidents in the future.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist