ILS Data Breach Affects Almost 21K Iowan Medicaid Recipients
The Iowa Department of Health and Human Services (DHHS) has confirmed a HIPAA compliance breach where the personal information of 20,815 Iowans who receive Medicaid was exposed in a cyberattack at a subcontractor of one of its business associates between June 30, 2022, and July 5, 2022.
Telligen performs annual assessments on Medicaid recipients for the Iowa DHSS. Telligen subcontracted part of the work to Independent Living Systems (ILS), and it was the systems of ILS that were breached. While ILS discovered the breach in July 2022, it took until February 14, 2023, for Telligen to be notified about the breach. Telligen notified the Iowa DHSS three days later on February 17, 2023. The DHSS will be sending notification letters to the affected individuals over the next few days.
Independent Living Systems reported the breach to the HHS’ Office for Civil Rights using a 501 placeholder until the number of affected individuals is determined; however, the breach was reported to the Maine Attorney General as affecting more than 4 million individuals. You can read more about the Independent Living Systems data breach here.
Hacking Incident Reported by Retina & Vitreous of Texas
The Houston ophthalmology clinic, Retina & Vitreous of Texas, has reported a hacking incident that has affected 35,766 current and former patients. Suspicious activity was detected within its network on February 1, 2023, and it was confirmed on February 15, 2023, that unauthorized individuals had access to parts of its network containing patient data, which many have been viewed or acquired by the attacker.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The review of the affected files was completed on March 21, 2023, and confirmed they contained names, addresses, diagnoses and treatment information, insurance carrier information, and insurance subscriber identification numbers. Notifications were mailed to affected individuals on April 10, 2023.
Southwest Healthcare Services Hacking Incident Affects 16,000 Individuals
Bowman, ND-based Southwest Healthcare Services says hackers had access to its network between October 22 and October 29, 2022, and viewed or obtained files that included patient information. The review of the affected files was completed on January 31, 2023, and notification letters were sent to affected individuals on March 31, 2023.
Southwest Healthcare Services said the compromised information included names, addresses, birth dates, medical record numbers, internal identification numbers, driver’s license numbers, state identification numbers, clinical and treatment information, and health insurance information. Social Security numbers, financial information, and/or payment card information were involved for a limited number of individuals.
Individuals whose Social Security numbers were involved have been offered complimentary credit monitoring services. The breach was reported to the HHS’ Office for Civil Rights as affecting 15,996 individuals.
Stanford University Employee Data Compromised in Brightline Medical Associates Breach
Stanford University has confirmed that the personal information of certain employees was stolen in a hacking and data theft incident at Brightline Medical Associates. Brightline is a provider of virtual behavioral and mental health services and provides those services to the children of benefits-eligible employees and postdoctoral students across Stanford’s health plans.
Brightline used Fortra’s GoAnywhere Managed File Transfer (MFT) solution, which was hacked on January 30, 2023, by the Clop ransomware group. Ransomware was not used in the attack, but files were stolen. The Stanford University data was limited to covered individuals with dependents under 18 years and was mostly limited to demographic information such as subscriber and dependent names, contact information, member IDs, dates of birth, and coverage start and end dates. No information related to medical services, conditions, diagnoses, or claims was involved. Affected individuals are being notified and have been offered 2 years of complimentary identity theft and credit monitoring services. It is currently unclear how many individuals have been affected.