24,400 Rite Aid Customers Had Personal Information Compromised in May Cyberattack
Rite Aid has confirmed that the protected health information of up to 24,400 of its customers has been stolen in a cyberattack. The stolen files contained names, birth dates, addresses, prescription information, and limited insurance information. Social Security numbers and financial information were not exposed or stolen in the attack. Rite Aid said a vulnerability was exploited by the attackers to gain access to sensitive data. Rite Aid was notified about the vulnerability by a third-party vendor and a patch has now been applied to correct the vulnerability.
The vulnerability was identified on May 31, 2023, with the forensic investigation confirming data theft occurred on May 26, 2023. While Rite Aid did not disclose the name of the vendor, the timing of the attack and the nature of unauthorized access suggest this was an attack by the Clop threat group which conducted mass attacks that exploited a zero-day vulnerability in Progress Software’s MOVEIT Transfer file transfer solution.
Wake Family Eye Care Suffers Ransomware Attack
Wake Family Eye Care in Cary, NC, recently fell victim to a ransomware attack. The attack was detected on June 2, 2023, when files were discovered to have been encrypted. Systems were immediately isolated to prevent further unauthorized access and the incident was contained the same day. A third-party forensics firm was engaged to investigate and determine the extent of the breach and while no evidence of data theft was found, it was not possible to rule out the possibility of data theft.
The review of files on the affected part of the network revealed they contained names, addresses, dates of birth, partial or full Social Security Numbers, driver’s license/passport/other government-issued ID numbers, insurance numbers, optical images, chart numbers, and related eye records. Financial information was not compromised.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Notification letters have been sent to the 14,264 individuals potentially affected by the incident.
Catholic Charities of the Archdiocese of Newark Investigating Cyberattack
Catholic Charities of the Archdiocese of Newark has confirmed that unauthorized individuals gained access to some of its computer systems. The breach was detected on May 8, 2023, and third-party cybersecurity experts were engaged to investigate and determine the nature and scope of the breach. The investigation confirmed that hackers had access to systems where protected health information was stored between April 30, 2023, and May 8, 2023. Some of the files were acquired in the attack.
The stolen files included individuals’ names, dates of birth, driver’s license information, Social Security number, medical information, and health insurance information. The review of the files is ongoing to determine how many individuals have been affected and notification letters will be sent when that process has been completed. To meet the deadline for reporting data breaches, the HHS was notified that at least 501 individuals have likely been affected. The total will be updated when the investigation is completed.
Lancaster Orthopedic Group Notifies Patients About March Cyberattack
Lancaster Orthopedic Group in Manheim Township, PA, has discovered unauthorized access to its network. The breach was detected on March 29, 2023, with the review of the affected files confirming that names, addresses, dates of birth, Social Security numbers, medical treatment information, and insurance information was potentially compromised. The breach has been reported to the HHS’ Office for Civil Rights as affecting a minimum of 500 individuals, although up to 2,000 patients may have been affected.
