The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

ILS Data Breach Affects Almost 21K Iowan Medicaid Recipients

Posted By on Apr 14, 2023

The Iowa Department of Health and Human Services (DHHS) has confirmed a HIPAA compliance breach where the personal information of 20,815 Iowans who receive Medicaid was exposed in a cyberattack at a subcontractor of one of its business associates between June 30, 2022, and July 5, 2022.

Telligen performs annual assessments on Medicaid recipients for the Iowa DHSS. Telligen subcontracted part of the work to Independent Living Systems (ILS), and it was the systems of ILS that were breached. While ILS discovered the breach in July 2022, it took until February 14, 2023, for Telligen to be notified about the breach. Telligen notified the Iowa DHSS three days later on February 17, 2023. The DHSS will be sending notification letters to the affected individuals over the next few days.

Independent Living Systems reported the breach to the HHS’ Office for Civil Rights using a 501 placeholder until the number of affected individuals is determined; however, the breach was reported to the Maine Attorney General as affecting more than 4 million individuals. You can read more about the Independent Living Systems data breach here.

Hacking Incident Reported by Retina & Vitreous of Texas

The Houston ophthalmology clinic, Retina & Vitreous of Texas, has reported a hacking incident that has affected 35,766 current and former patients. Suspicious activity was detected within its network on February 1, 2023, and it was confirmed on February 15, 2023, that unauthorized individuals had access to parts of its network containing patient data, which many have been viewed or acquired by the attacker.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The review of the affected files was completed on March 21, 2023, and confirmed they contained names, addresses, diagnoses and treatment information, insurance carrier information, and insurance subscriber identification numbers. Notifications were mailed to affected individuals on April 10, 2023.

Southwest Healthcare Services Hacking Incident Affects 16,000 Individuals

Bowman, ND-based Southwest Healthcare Services says hackers had access to its network between October 22 and October 29, 2022, and viewed or obtained files that included patient information. The review of the affected files was completed on January 31, 2023, and notification letters were sent to affected individuals on March 31, 2023.

Southwest Healthcare Services said the compromised information included names, addresses, birth dates, medical record numbers, internal identification numbers, driver’s license numbers, state identification numbers, clinical and treatment information, and health insurance information. Social Security numbers, financial information, and/or payment card information were involved for a limited number of individuals.

Individuals whose Social Security numbers were involved have been offered complimentary credit monitoring services. The breach was reported to the HHS’ Office for Civil Rights as affecting 15,996 individuals.

Stanford University Employee Data Compromised in Brightline Medical Associates Breach

Stanford University has confirmed that the personal information of certain employees was stolen in a hacking and data theft incident at Brightline Medical Associates. Brightline is a provider of virtual behavioral and mental health services and provides those services to the children of benefits-eligible employees and postdoctoral students across Stanford’s health plans.

Brightline used Fortra’s GoAnywhere Managed File Transfer (MFT) solution, which was hacked on January 30, 2023, by the Clop ransomware group. Ransomware was not used in the attack, but files were stolen. The Stanford University data was limited to covered individuals with dependents under 18 years and was mostly limited to demographic information such as subscriber and dependent names, contact information, member IDs, dates of birth, and coverage start and end dates. No information related to medical services, conditions, diagnoses, or claims was involved. Affected individuals are being notified and have been offered 2 years of complimentary identity theft and credit monitoring services. It is currently unclear how many individuals have been affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist