The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Johns Hopkins Investigating Cyberattack and Data Breach

Posted By on Jun 15, 2023

Johns Hopkins University and Johns Hopkins Health System are investigating a May 31, 2023, cyberattack and data breach that targeted a widely used software tool. While the tool that was targeted was not mentioned in the attack, the breach date coincides with the Clop/FIN11 attacks on the MOVEit Transfer managed file transfer solution.

While the investigation into the data breach is ongoing, the initial findings indicate that sensitive personal and financial information was impacted, including names, contact information, and health billing records. Notifications will be sent to all affected individuals in the coming weeks once the full scope and breadth of the breach are determined. Johns Hopkins has confirmed that credit monitoring services will be offered to affected individuals. In the meantime, Johns Hopkins urges all students, faculty staff, and their dependents to take immediate action to protect their personal information, including conducting reviews of their statements, credit reports, and accounts for unusual activity, and should consider placing a fraud alert and credit freeze with a national credit bureau.

Johns Hopkins has recently reported the breach to the HHS’ Office for Civil Rights as affecting 310,405 individuals.

PHI of 33,000 Patients Exposed in Maimonides Medical Center Cyberattack

Maimonides Medical Center in Brooklyn, NY, has confirmed that the protected health information of approximately 33,000 patients was stored on systems that were accessed by an unauthorized individual. The security breach was discovered on April 4, 2023, and unauthorized access was immediately blocked. The forensic investigation confirmed the initial access occurred on March 18, 2023.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The review of affected files revealed the majority of individuals only had their names, addresses, and limited clinical information exposed, such as diagnoses and treatment information; however, some individuals also had their Social Security numbers exposed. Affected individuals have been offered 24 months of complimentary credit monitoring and identity theft protection services. Third-party cybersecurity experts were hired to assess system security and ensure that adequate safeguards were in place, and additional authentication measures have now been implemented.

iSpace Inc. Notifies 24,400 Individuals About Data Breach

iSpace, Inc., a provider of insurance eligibility services, has recently started notifying 24,382 individuals about a cyberattack that was discovered on February 5, 2023. In a May 31, 2023, notification to the California Attorney General, iSpace explained that the forensic investigation confirmed a system compromise had occurred and that there was file exfiltration between January 30 and February 5, 2023.

The analysis of the impacted files confirmed that they contained names, Social Security numbers, dates of birth, diagnosis information, health insurance group/policy numbers, health insurance information, subscriber numbers, and prescription information. At the time of issuing notifications, no actual or attempted misuse of the affected individuals’ information had been detected. iSpace said it engaged the services of security specialists to assist in examining its privacy and security policies and practices and will update them accordingly. The delay in issuing notifications was due to the lengthy investigation and data review process, which was completed on March 3, 2023, and the subsequent verification of contact information.

Normal Operations Resume After Richmond University Medical Center Ransomware Attack

Richmond University Medical Center (RUMC) in West Brighton, NY, has confirmed that it has fully recovered from a ransomware attack that was detected in the first week of May. The attack forced the medical center to shut down systems and activate its emergency protocols, and the staff recorded patient information manually while systems were restored. The investigation into the ransomware attack is ongoing to determine the extent to which patient information was involved, and notification letters will be sent to affected individuals when that process has been completed.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist