Cyberattacks on Westside Community Services, Wyoming County Community Health System, and More Providers Affected by the MOVEit Hack

Cyberattack on Wyoming County Community Health System

Wyoming County Community Health System based in Warsaw, NY, has encountered a cybersecurity attack that has resulted in network disruption. The security breach was discovered on March 28, 2023, and the following forensic investigation confirmed that files were compromised on that date and might have been accessed or obtained by unauthorized persons. An evaluation of the files to identify the persons and types of information involved was accomplished on November 8, 2023. The review revealed that approximately 26,000 individuals were impacted and had some or all of these data elements compromised: name, driver’s license/state ID number, Social Security number, birth date, biometric information, medical data, medical insurance data, and account number.

Affected persons received notification letters on November 16, 2023. Wyoming County Community Health System stated it has applied extra measures to improve network security and prevent the same incident from happening later on.

Cyberattack and Data Theft on Westside Community Services

The social services organization, Westside Community Services, based in San Francisco, CA has sent notification to 2,484 people regarding an incident involving unauthorized access to its system from April 25, 2023 to May 1, 2023. Third-party cybersecurity experts conducted a forensic investigation and reported the exfiltration of files from its system. The document evaluation was done on October 16, 2023.

The stolen information contained full names together with at least one of these data elements: Social Security numbers, birth dates, passport numbers, driver’s license numbers or state ID numbers, other government ID numbers, financial account details, credit or debit card data, usernames and passwords related to online accounts, medical data (date of service, name of provider, patient number, medical record number, medical background, surgical data, prescription medication, and/or treatment details), and/or medical insurance policy data. Westside Community Services stated it continuously checks and changes its practices and internal controls to improve the security and privacy of personal data.

Unauthorized Email Access at Molina Healthcare of Iowa

Molina Healthcare of Iowa, Inc. reported an incident identified on November 22, 2023. There was unauthorized access to the email account of an employee from September 25 to 26, 2023. It wasn’t possible to know whether any data in the email account was stolen, but the analysis of the emails indicated that they included the protected health information (PHI) of 1,647 Medicaid recipients. Those persons were advised about the breach through mail. Molina Healthcare of Iowa stated the breach didn’t impact any members under other managed care companies.

Data Breach Notice Updates by Robeson Health Care Corporation

Robeson Health Care Corporation has given an update regarding a breach that was earlier reported to the Maine Attorney General as impacting 15,045 people. The investigation has affirmed that 62,627 individuals were additionally impacted.

MOVEit Data Breach Impacts 9 Prime Healthcare Hospitals

Prime Healthcare based in Ontario, CA was impacted by a data breach that occurred at its revenue cycle management provider, CBIZ KA. The provider was using Progress Software’s MOVEit Transfer solution when the Clop hacking group exploited a zero-day vulnerability in late May 2023. Prime Healthcare got a copy of the stolen records from CBIZ KA on September 20, 2023, and has affirmed that they included names along with at least one of these data: birth date, address, Social Security Number, medical record number, admission and discharge date.

Prime Healthcare manages 45 hospitals, though only 9 were impacted: Saint Michael’s Medical Center, Saint Clare’s Hospital, and St. Mary’s General Hospital in New Jersey, Lower Bucks Hospital, Roxborough Memorial Hospital, and Suburban Community Hospital in Pennsylvania, Landmark Medical Center in Rhode Island, and Lake Huron Medical Center and Garden City Hospital in Michigan. People whose Social Security numbers were affected received free credit monitoring and identity protection services.

1st Source Bank Affected by MOVEit Transfer Hack

1st Source Bank has reported the theft of PHI of 1,477 people in May 2023 when attackers exploited a zero-day vulnerability in the MOVEit Transfer solution by Progress Software. The breach was detected on June 1, 2023. The analysis of the impacted files and the gathering of data required to mail notification letters was done on or about October 27, 2023. The breached data consists of names and Social Security numbers. Free identity monitoring services were offered to the impacted individuals for one year.

Blue Shield of California Members Impacted by MOVEit Hack

California Physicians’ Service, dba Blue Shield of California, has reported that it was impacted by the mass attack involving a vulnerability in MOVEit Transfer file transfer solution by Progress Software. The breach report was submitted to the HHS’ Office for Civil Rights in two different breach reports, one concerning the 636,848 Blue Shield of California plan members data and the other concerning 26,523 Blue Shield of California or Blue Shield of California Promise Health Plan members data.

The breach happened at an unnamed supplier of Blue Shield of California that handled vision benefits. The supplier utilized the MOVEit Transfer solution to send big files to do its contracted tasks. A zero-day vulnerability in the MOVEIt Transfer solution was attacked from May 28 to May 31, 2023. Extracted files included the names of members, birthdates, addresses, subscriber ID numbers and names, dates of birth, Social Security numbers, group ID numbers, patient ID numbers, vision providers’ names, vision claims numbers, vision-associated treatment and diagnosis data, and vision-related treatment cost data. The Clop hacking group stated it is behind the hacks.

Blue Shield of California explained that the breach did not affect its own networks and was restricted to the MOVEit Transfer server. It offered credit monitoring and identity restoration services to the impacted persons.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone