The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

United Health Centers of San Joaquin Valley Notifies Patients About August 2021 Ransomware Attack

Posted By on Aug 16, 2022

In August 2021, the Vice Society ransomware operation published data on its data leak site that had allegedly been obtained in a ransomware attack on United Health Centers of San Joaquin Valley.  On August 31, 2021, Bleeping Computer was made aware of the data leak and made multiple attempts to notify United Health Centers. The website DataBreaches was also made aware of the data breach and similarly attempted to notify United Health Centers on multiple occasions. HIPAA Journal reported on the incident in September 2021.

Almost a year on and individuals whose protected health information was exposed or stolen in the attack have been notified by United Health Centers. The breach notification provided to the California Attorney General on August 12, 2022, explains that technical difficulties were experienced by United Health Centers on August 28, 2021, which caused disruption to its computer systems. Steps were immediately taken to secure its network and systems, and an investigation was launched to determine the nature of the incident.

United Health Centers said it discovered on September 22, 2021, that patient data had been exfiltrated from its systems. Third-party specialists were then engaged to confirm the scope of the data breach. The investigation confirmed that data had been exfiltrated between August 24, 2021, and August 28, 2021. A comprehensive review of the affected data was completed on April 11, 2022. United Health Centers said it “then worked expeditiously to provide notice to those patients whose information was found within those documents.”

The documents contained names, Social Security numbers, and medical record numbers. Affected individuals have been offered a one-year complimentary membership to Experian’s identity theft restoration and credit monitoring service. It is currently unclear exactly how many patients have been affected. The breach has been reported to the HHS’ Office for Civil Rights as affecting 500 individuals – a common placeholder used when the total number of affected individuals has yet to be established.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Lee County Emergency Medical Services Notifies Patients About Third-Party Data Breach

Lee County Emergency Medical Services has recently started notifying certain patients about a business associate-related data breach. Intermedix Corporation worked with Lee County Emergency Medical Services for almost 15 years, with the contract terminating in September 2014. Intermedix Corporation worked with a law firm, Smith, Gambrell & Russell (SGR), and certain patient data had been provided to that law firm.

Lee County Emergency Medical Services said in an August 11, 2022, breach notification on its website that it was notified on August 4, 2022, about the data breach at the law firm. SGR said it discovered on August 9, 2021, that files had been exfiltrated from its systems by an unauthorized individual, and those files contained the sensitive information of its clients. A vendor was engaged to assist with the investigation to determine the scope of the breach, and the review of the documents was completed on May 17, 2022. SGR said the breached information included names, addresses, Social Security numbers, driver’s license numbers, government IDs, and medical information, such as treatment, diagnosis, and medical history. SGR said it has taken steps to improve security and has offered affected individuals complimentary credit monitoring services.

Lee County Emergency Medical Services said it was notified about the incident on august 4, 2022, and has since been working closely with Intermedix Corporation to identify the affected individuals and said notifications. Notification letters will be sent to affected individuals within 14 to 21 days. The incident has yet to appear on the HHS’ Office for Civil Rights Breach portal so it is unclear how many individuals have been affected. Lee County Emergency Medical Services said around 2% of the records provided to SGR were compromised.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist