Patient Data Likely Lost Due to Cyberattack on Mercy Medical Center – Clinton
Mercy Medical Center – Clinton has notified 20,865 patients about a security incident that disrupted its network. The security breach was detected on April 4, 2023, and the forensic investigation confirmed its network had been accessed by an unauthorized third party between March 7, 2023, and April 4, 2023.
The attack did not affect patient care but prevented access to its systems while the attack was remediated. The review of the incident is ongoing, but it has been confirmed that the following types of information have been exposed: name, address, date of birth, driver’s license/state identification number, Social Security number, financial account information, medical record number, encounter number, Medicare or Medicaid identification number, mental or physical treatment/condition information, diagnosis code/information, date of service, admission/discharge date, prescription information, billing/claims information, personal representative or guardian name, and health insurance information.
Mercy Medical Center did not state whether ransomware was involved but said data had to be restored from backups and some data has likely been lost. Additional technical steps are being taken to try to recreate the lost data it was not possible to restore. Credit monitoring and identity protection services have been offered to affected individuals and additional technical safeguards have been implemented to prevent similar attacks in the future.
Pioneer Valley Ophthalmic Consultants Notifies Patients About Business Associate Data Breaches
Pioneer Valley Ophthalmic Consultants (PVOC) in Holyoke, MA, has recently notified 36,275 patients that some of their protected health information has been exposed and potentially stolen in two security incidents at third-party vendors, Alta Medical Management and ECL Group, LLC, which provide billing and accounting services.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
According to the May 22, 2023, breach notice, the incidents occurred in 2021. PVOC discovered on March 3, 2022, that malware had been installed on the servers of the vendors between November 13, 2021, and November 15, 2021. On May 11, 2022, PVOC learned that Alta’s online patient portal was vulnerable to unauthorized access to payment receipts until October 26, 2021.
The information potentially compromised as a result of the malware incident included names, addresses, Social Security Numbers, payment card information, and medical records. The unsecured patient portal allowed unauthorized access to names, email addresses, transaction dates and times, transaction ID numbers, statement numbers, the last four digits of payment cards/ account numbers, and any information entered into the comments field of the portal.
PVOC said it is unaware of any actual or attempted misuse of the exposed information. Monitoring has been stepped up in response to the breaches and additional technical resources and security personnel have been onboarded. Affected individuals have been offered complimentary credit monitoring services.
Topcon Healthcare Solutions Breach Impacts 4,000 Individuals
Topcon Healthcare Solutions, a provider of imaging, diagnostic, and intelligent data technologies, has reported a security breach to the Maine Attorney General that exposed protected health information. The security breach was detected on February 5, 2023, and the forensic investigation confirmed there had been unauthorized access to documents on its systems between January 7, 2023, and February 5, 2023.
In its May 22, 2023, breach notification, Topcon said the review of the incident is ongoing to determine the specific types of information that have been exposed. Notification letters will be sent to affected individuals after that process is complemented. The breach was reported to the Maine Attorney General as affecting up to 4,209 individuals.
Canopy Children’s Solutions Investigating Ransomware Attack
Mississippi Children’s Home Society, CARES Center Inc, and Mississippi Children’s Home Services Inc, doing business as Canopy Children’s Solutions, experienced a ransomware attack in April that resulted in the encryption of files on its systems. The attack was detected on April 4, 2023, and third-party forensics experts were engaged to investigate the nature and scope of the incident.
According to Canopy Children’s Solutions’ data breach notice, the attackers accessed certain systems on its network and may have accessed and/or acquired certain files and folders from those systems.” The data breach notice – dated June 2, 2023 – states that the investigation is ongoing to determine which individuals have been affected and the types of data involved. Notification letters will be mailed to affected individuals when that process is completed. Canopy Children’s Solutions said it has reviewed its data privacy and security policies and procedures and is implementing additional safeguards to prevent further attacks in the future.
The Nokoyawa threat group has claimed responsibility for the attack and has added Canopy Children’s Solutions to its data leak site. The group says files are being prepared for publication. The group claims to have exfiltrated 150 gigabytes of data. The breach has been reported to the HHS’ Office for Civil Rights with a placeholder of 501 individuals until the full extent of the data breach is known.
Update: February 2, 2024: The exposed data included names, Social Security numbers, dates of birth, proof of address, and photocopies of government-issued ID cards. Credit monitoring and identity theft protection services have been offered to the affected individuals for 12 months at no cost. The OCR breach portal still displays the placeholder of 501.
