Breaches at Southeastern Council on Alcoholism and Drug Dependence and Independent Health Impacts 32,000 Persons

A ransomware attack on the Southeastern Council on Alcoholism and Drug Dependence (SCADD) based in Lebanon, CT resulted in extensive file encryption. SCADD detected the attack on February 18, 2019 when the network experienced problems. The investigation affirmed the installation of ransomware on its systems that contain some patients’ protected health information (PHI).

Although there is no evidence found that indicated the attackers accessed documents with PHI, the forensic investigators cannot rule out the possibility of patient data access. Subsequently, SCADD reported the incident to the HHS’ Office for Civil Rights as a potential data breach and sent notification letters to affected patients. Thus far, no reports were received suggesting the misuse of any patient information.

Patients were informed about the potential compromise of their data including their name, address, health history, treatment details, and Social Security numbers. All affected persons were offered free credit monitoring and identity theft protection services. OCR’s breach summary on its website reveals that the incident affected up to 25,148 patients.

The health plan Independent Health based in Amherst, MA discovered that an employee accidentally emailed files that contain the PHI of 7,600 members to an Independent Health member not authorized to see the data on March 19, 2019. That person got in touch with Independent Health an hour after receiving the email to report the privacy breach and ensure his deletion of the email message and documents.

The information contained in the documents include plan members’ ID numbers, dates of service, providers seen, claim numbers, claim payment details, and medical treatment codes. Although no Social Security numbers or financial data were compromised and there’s a low risk of identity theft or fraud, Independent Health offered all impacted persons one year of free identity theft protection and credit monitoring services. The employee invovled was subjected to disciplinary measures according to company policy.