Data Breaches Reported by Activate Healthcare, Community Research Foundation, Henrietta Johnson Medical Center and The Williamsport Home

Activate Healthcare Announces Security Breach with About 93,761 Patients Affected

The healthcare company, Activate Healthcare, LLC, based in Illinois lately announced that it encountered a security breach that led to the stealing of patient records. It detected suspicious activity inside its IT systems on April 27, 2023. A following forensic investigation affirmed the unauthorized access by a third party to its system from April 22, 2023 to April 28, 2023.

It was reported on April 29, 2023 that the attacker exfiltrated files that contained patient data like names, birth dates, addresses, driver’s license numbers, Social Security numbers, and clinical data, like provider names, diagnoses and/or dates of service. When issuing breach notification letters, there was no proof that suggest the misuse of patient information; nonetheless, as a safety measure, impacted persons were provided free credit monitoring and identity protection services. As per Activate Healthcare, it will continue to take steps to improve the protection of its computer network.

The breach report submitted to the HHS’ Office for Civil Rights indicates that around 93,761 patients were affected.

30,000-Record Data Breach at Community Research Foundation

Non-profit research foundation, Community Research Foundation (CRF) based in San Diego, CA develops and manages programs dedicated to the treatment, instruction, and rehab of people having mental health issues and substance use issues. It recently reported that sensitive health information had been accessed by an unauthorized person in 2022.

CRF noticed a security breach on October 13, 2022, and third-party cybersecurity specialists helped to check out the incident. CRF stated the analysis of the impacted files came to the conclusion on April 19, 2023, when it was established that the protected health information (PHI) of people who wanted healthcare services via medical and/or social services that CRF supports was engaged in. That data included names, driver’s license numbers, Social Security numbers, birth dates, healthcare treatment and/or diagnosis details, and/or medical insurance data.

CRF stated after identifying which persons were affected, contact details must be confirmed in order to mail the notification letters, therefore the delay in sending notification letters. The breach notice did not mention when the systems breach occurred.CRF There is also no credit monitoring services do not seem to have been provided to impacted people.

The data breach report was lately submitted to the HHS’ Office for Civil Rights indicating that around 30,057 persons were affected.

Henrietta Johnson Medical Center Patients Impacted by Delaware Health Network Data Breach

The Henrietta Johnson Medical Center (HJMC) located in Wilmington, DE, experienced the impact of a security incident at Delaware Health Network (DHN), its electronic health records management provider and healthcare-controlled network provider. As per the HJMC notice, unauthorized persons acquired access to specific DHN systems on or about April 5, 2023, and extracted files from those programs. DHN is presently looking into the incident to find out the scope of the data breach. It has advised HJMC as well as other clients that their information could have been affected.

HJMC has not received information concerning the number of affected patients. According to the results of the forensic investigation thus far, these data types could have been compromised: complete name, birth dates, ethnicity, diagnosis code, laboratory results, medical record number, and medical insurance details. DHN stated that the hacker did not view or steal any financial account data or Social Security numbers.

HJMC stated it is going over its guidelines and procedures associated with third-party providers and will continue to ask for details from DHN regarding the event. As a safety precaution, the medical center sent notifications to all patients. The breach report submitted to the HHS’ Office for Civil Rights indicated 500 persons were affected. An update of that number will be given as soon as DHN reports the number of patients affected.

Cyberattack Impacts Several Residential Care Facilities in Pennsylvania

A cyberattack that was discovered on April 24, 2023 affected The Williamsport Home, a retirement village located in Pennsylvania. The incident also affected Senior Choice, Inc., a company offering skilled nursing care at three inpatient facilities in Pennsylvania: Beacon Ridge in Indiana, The Atrium in Johnstown, and The Patriot in Somerset.

Upon discovery of the security breach, steps were promptly undertaken to protect the network. Although the cyberattack is still being investigated, it has been confirmed that unauthorized persons acquired access to particular business operation systems from April 18 to April 24, 2023. The systems employed directly for residential care don’t seem to have been affected; nevertheless, the business systems affected in the attack included PHI that was possibly viewed or stolen.

The types of data that were compromised differed from one person to another and might have contained at least one of these data elements: Name, address, date of birth, admission date, discharge date, date of death, provider or facility name, medical record number,
health condition, diagnosis and/or treatment details, laboratory results, prescription drugs, payment amount records, insurance payment amount data, date of service, financial account data, credit card number, medical details, medical insurance data, Social Security number,
driver’s license or state ID number, passport number, and any data on an individual that was generated, used, or disclosed while providing health care services.

Extra technical safety measures are being put in place to enhance security to stop the same breaches later on. It is not yet known how many persons were impacted, so all persons that are presently getting services or have received them before should be attentive against any improper use of their data. To satisfy the requirement for breach reporting as stated in the HIPAA Breach Notification Rule, The Williamsport Home and Senior Choice submitted the breach report to the HHS by indicating that at least 500 persons were affected. The total of affected individuals will be provided when there is a confirmed number of individuals affected.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone