November 8, 2023, Healthcare Data Breach Round-Up
Mulkay Cardiology Consultants at Holy Name Medical Center has recently confirmed that it fell victim to a ransomware attack. The attack was detected on September 5, 2023, when files on its network were encrypted. According to the breach notice, Mulkay was able to rebuild its systems and recover the encrypted files from backups.
Third-party forensics experts were engaged to investigate the breach and determined that its systems were compromised between September 1, 2023, and September 5, 2023, and during that time, files were exfiltrated that contained personal and protected health information. The compromised information included names, addresses, dates of birth, Social Security numbers, driver’s license numbers or state IDs, medical treatment information, and health insurance information. Mulkay said it has enhanced its technical safeguards to prevent similar incidents in the future. Affected individuals have been notified and offered complimentary credit monitoring services.
The breach was reported to the Maine Attorney General as affecting 79,582, although since the breach is not yet showing on the HHS’ Office for Civil Rights breach portal, it is unclear how many patients were affected. While Mulkay has indicated this was a ransomware attack, the group responsible was not mentioned; however, this appears to have been an attack by the NoEscape group, which was the subject of a recent analyst note from the Health Sector Cybersecurity Coordination Center (HC3). While NoEscape claimed on its data leak site to have stolen around 60GB of data, including the personal information of 30,000 patients, the listing has since been removed, which usually means a ransom has been paid, although this has not been confirmed by the HIPAA Journal.
BHS Physicians Network Reports Email Account Breach
BHS Physicians Network has recently confirmed a breach of a Microsoft Office 365-hosted business email account that was used by a medical assistant. The email account breach was detected on August 11, 2023, and the investigation confirmed that access to the account was possible between July 28, 2023, and August 15, 2023. The email account contained files that included the protected health information of patients of First California Physician Partners, Georgia Northside Ear, Nose, and Throat, and Greater Dallas Healthcare Enterprises.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
BHS Physicians Network has confirmed that the email account was separate from its internal network and systems, which were not affected. On August 30, 2023, it was determined that the account contained demographic information such as full name, date of birth, and address, medical and/or treatment information such as dates of service, provider and facility names, procedure codes, and billing and claims information, such as account and/or claim status, transaction and charge identification numbers, patient account identifiers, and payor information.
BHS Physicians Network said security and monitoring capabilities have been enhanced and systems are being hardened to prevent similar breaches in the future. The breach was reported to the HHS’ Office for Civil Rights as affecting 1,857 individuals.
Life Generations Healthcare Email Accounts Compromised
Life Generations Healthcare (LGH), a Santa Ana, CA-based medical group, has recently announced that an unauthorized third party gained access to multiple employee email accounts between May 24 to June 13, 2023. While the breach notice does not state when the breach was detected, LGH has confirmed that the breach investigation revealed on October 4, 2023, that some of the accounts contained the protected health information of patients. The information exposed in the breach varied from patient to patient and may have included names, addresses, dates of birth, medical information, health insurance information, Social Security numbers, driver’s license numbers/state IDs, and financial account information.
Notification letters have been sent to the affected individuals and patients who had their Social Security numbers and/or driver’s license numbers exposed have been offered complimentary credit monitoring and identity theft protection services. The incident is not yet showing on the HHS’ Office for Civil Rights breach portal so it is unclear how many individuals have been affected.
MOVEit Transfer Hacking Victims
Cadence Bank
Cadence Bank has confirmed that it was affected by the recent mass hacking of the zero-day vulnerability in Progress Software’s MOVEit Transfer solution. The bank said the vulnerability was patched immediately when Progress Software released the patch; however, the vulnerability had already been exploited and data was stolen. Cadence Bank provides lockbox services to North Mississippi Health Services and its affiliates, and on June 18, 2023, the bank confirmed that the data of patients was involved. The compromised data included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, medical and/or treatment information, and billing and claims information.
Cadence Bank said it has enhanced security and monitoring practices and strengthened system security. Complimentary credit monitoring services have been offered to individuals whose Social Security numbers, driver’s license numbers, and/or financial account information were involved. The breach was reported to the HHS’ Office for Civil Rights as affecting 13,862 individuals.
AlohaCare
AlohaCare, a Honolulu, HI-based community-led, non-profit health plan, has confirmed that the data of 12,982 members was compromised in the recent mass exploitation of a zero-day vulnerability in the MOVEit Transfer solution. The vulnerability was patched as soon as the patch was released by Progress Software, however, the vulnerability had already been exploited. The data stolen included names, addresses, dates of birth, and Social Security numbers. Affected individuals have been offered complimentary credit monitoring services.
Ransomware Gangs Claim Responsibility for Attacks on Healthcare Providers
The following healthcare providers have recently been added to the data leak sites of ransomware groups. On the date of this post, ransomware attacks have not been confirmed by the victims and no data has actually been leaked.
Summit Health (LockBit 3.0)
Summit Health, a Berkeley Heights, NJ, based multi-specialty medical practice with more than 340 locations, has recently been added to the LockBit 3.0 data leak site. The ransomware group gave Summit Health a deadline of November 8, 2023, to pay the ransom or the stolen data would be published. Summit Health has not confirmed the attack and has yet to report a data breach. The LockBit 3.0 data leak site does not state what data was obtained in the attack.
Cardiovascular Consultants (Quilin)
Cardiovascular Consultants in Arizona appears to have fallen victim to a ransomware attack by the Quilin group, which has recently uploaded a 205.93 GB compressed file to its data leak site, which the group claims includes all data stolen in the attack; however, as of November 8, 2023, the link is not working and the data cannot be downloaded. Cardiovascular Consultants has yet to confirm the validity of the group’s claim.
