The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

LockBit Ransomware Group Threatens to Publish Stolen Cancer Patient Data

Posted By on Aug 8, 2023

The LockBit ransomware group has added Varian Medical Systems to its data leak site and has threatened to publish the data of cancer patients if the ransom is not paid. Varian Medical Systems is a Palo Alto, CA-based provider of radiation oncology treatments and software for oncology departments and a subsidiary of Siemens Healthineers. Varian Medical Systems has not yet confirmed the data breach, and the LockBit group has not yet disclosed how much data was stolen in the attack but said Varian has been given until August 17, 2023, to enter into negotiations otherwise all stolen databases and patient data will be released on its dark web data leak site.

Karakurt Threat Group Says Data Stolen from McAlester Regional Health Center

The KaraKurt ransomware group has recently added McAlester Regional Health Center to its data leak site and claims to have stolen more than 1,175 GB of data from the Oklahoma hospital, including 5 GB of SQL data on medical staff and medical reports containing sensitive patient information, including DNA data. According to the listing, the stolen employee data includes Social Security numbers and bank account information. The group has threatened to sell the data if the ransom is not paid. McAlester Regional Health Center has not verified the claim and has yet to announce a data breach on its website or report the incident to the HHS’ Office for Civil Rights.

Precision Anesthesia Billing LLC Reports Breach of the PHI of 209,200 Individuals

The Tampa, FL-based HIPAA business associate, Precision Anesthesia Billing LLC (PAB), reported a breach of the protected health information of 209,200 individuals to the HHS’ Office for Civil Rights on July 7, 2023. While no public notice about the data breach appears to have been published to date, the medical group, Athens Anesthesia Associates (AAA), has confirmed that it was one of the entities affected by the breach.

AAA said it was informed by PAB on May 11, 2023, that the data of some of its patients had potentially been compromised. PAB said a well-known cyber threat actor that has conducted many successful cyberattacks was responsible but did not name the group. PAB was able to successfully stop the attack and secure its systems but said it was likely that files containing patient data were accessed and exfiltrated from its systems between May 4 and May 7, 2023. The information compromised in the incident included names, addresses, phone numbers, email addresses, dates of birth, ages, Social Security numbers, bank account numbers, insurance policy numbers, diagnoses, treatment information and dates, ultrasound images, medical record numbers, and hospital account numbers. AAA said it has offered affected patients two years of complimentary credit monitoring services.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Life Management Center of Northwest Florida Cyberattack Impacts 19,107 Individuals

Life Management Center of Northwest Florida, a provider of mental health, behavioral health, and family counseling services, discovered a security breach on March 31, 2023. Steps were immediately taken to secure its network and third-party forensics experts were engaged to investigate the incident. The investigation confirmed that an unauthorized actor accessed files that contained patient data. A comprehensive review of the affected files concluded on May 26, 2023, that the protected health information of 19,107 individuals had been compromised, including names, Social Security numbers, driver’s license numbers, medical treatment and/or diagnosis information, and health insurance information. Affected individuals were notified on July 25, 2023, and have been offered complimentary credit monitoring services.

Discovery at Home Falls Victim to Phishing Attack

Discovery at Home, a provider of home healthcare services to seniors in Florida and Texas, fell victim to a phishing attack on or around June 1, 2023, that saw the email account of an employee accessed by an unauthorized individual. Discovery at Home said the incident, “resulted in the inadvertent transmittal of personal health information via unencrypted e-mail to an unauthorized third-party sender.”

The compromised information included names, addresses, dates of birth, dates of service, treatment-related information, and health insurance information, including insurance beneficiary number, claim number, and policy number. At the time of issuing notification letters, Discovery at Home was unaware of any misuse of the compromised data. Discovery at Home said the email account was immediately secured when the breach was detected, steps have been taken to improve email security, and the employee in question has received further security awareness training. Affected individuals were notified by mail on July 31, 2023.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Bi-Bett Corporation Suffers Email Account Breach

Bi-Bett Corporation, a Californian provider of substance use disorder treatment services, has recently notified 4,722 patients that some of their protected health information was stored in an email account that was accessed by an unauthorized third party. Suspicious activity was identified in the email account on February 17, 2023, and the email account was immediately secured and a third-party cybersecurity firm was engaged to investigate. On April 14, 2023, the cybersecurity firm confirmed that patient information may have been accessed or acquired.

The email account was reviewed to identify the affected individuals and the information that had been compromised, and that process was completed on May 22, 2023. The information compromised included first and last names, addresses, Social Security Numbers, driver’s license numbers, Medicaid numbers, and/or medical reference numbers. Bi-Bett said it is working with third-party security experts to strengthen its security posture further. Affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist