Data Breaches Reported by DC Health Link, Community Health Systems, Codman Square Health Center, and Greater Dayton Community Health Center

DC Health Link Data Breach and Theft of PII of Lawmakers and Capitol Hill Staff

A cyberattack on the medical insurance marketplace, DC Health Link, resulted in the theft of the personal data of lawmakers and staffers. DC Health Link provides services to about 100,000 individuals, which include 11,000 members and staffers of Congress. The data breach investigation just started therefore it is still uncertain how many people were impacted. At this point of the investigation, it seems that the hacker responsible for the attack did not particularly target the personally identifiable information (PII) of those in the House of Representatives or Congress.

House Chief Administrative Officer, Catherine Szpindor, published a statement saying that there was a substantial data breach with potential theft of the PII of many individuals. She mentioned the Federal Bureau of Investigation (FBI) is helping with the investigation and is looking into the theft of the PII of numerous Congress members and staff. She likewise confirmed the exposure of a number of DC Health Link Customer information on an open forum. An investigation is presently ongoing to find out how the attacker got access to the medical insurance marketplace and what is the magnitude of the data breach. She advises placing credit freezes with three principal credit agencies as a safety measure and likewise expanding those credit freezes to family members since their data could also have been breached.

The Senate Sergeant at Arms notified the Senate members concerning the data breach through email. The notification mentioned that the stolen information included complete names, relationships (self, spouse, child), enrolment dates, and email addresses. There was no other PII that seem to have been exposed. House Minority Leader Hakeem Jeffries (D-NY) and House Speaker Kevin McCarthy (R-CA) wanted DC Health Link to give more details about the data breach including the actions taken as a result of the breach.

One recognized member of a hacking community forum tried to sell the stolen information, which was advertised as containing the PII of 170,000 people such as personal data, birth dates, Social Security numbers, the names of spouses and children, and other sensitive data. A sample of the data of 11 people was included in the listing to prove the legitimacy of the dataset. Congressmen McCarthy and Jeffries stated that the FBI bought some of the information, which included Social Security numbers and other sensitive data. The hacker seemed not to be aware that the dataset contained the PII of Congressmen and employees; nevertheless, since the data breach is already publicized, that will be made clear. The hacker has since revised the post stating that the data is sold. A representative for the DC Health Benefit Exchange Authority, which operates DC Health Link, stated that the affected individuals received credit monitoring services.

Community Health Systems Alert: GoAnywhere Data Breach Affected Up to 1 Million People

In the middle of February, Community Health Systems submitted a report to the U.S. Security and Exchange Commission (SEC) stating that it encountered a security incident that affected Fortra’s GoAnywhere MFT, its secure file transfer software program. The Clop ransomware group took responsibility for the attack and said it exfiltrated the information of 130 software users. The modus operandi of the group entails issuing ransom demands together with threats to post stolen information. But the group does not use ransomware to encrypt files. In the report filed with the SEC, Community Health Systems mentioned that the protected health information (PHI) of approximately 1 million people was possibly affected and that investigation into the attack was in progress.

Community Health Systems has already published additional details about the data breach and stated it will begin delivering notification letters to all affected persons in the middle of March. Community Health Systems affirmed that Fortra has agreements with CHSPSC, LLC, which is a professional services provider to hospitals and clinics associated with Community Health Systems Inc. Fortra informed CHSPSC about the security incident, which was discovered on January 30, 2023. The system was taken offline on January 31, 2023. According to the investigation, an unauthorized person got access to the system from January 28, 2023 to January 30, 2023, by taking advantage of an earlier unidentified vulnerability. An issue with the pre-authentication command injection resulted in the compromise of a set of files all across the GoAnywhere platform. CHSPSC was informed concerning the breach on February 2, 2023, and started its own inspection to find out the scope of breached patient data.

Community Health Systems already confirmed the compromise of the personal data and PHI of patients of CHSPSC affiliates, as well as the personal data of some employees and other people. That data includes complete names, addresses, insurance data, medical billing details, medical data like diagnoses and prescription drugs, and demographic details, for example, Social Security numbers and birth dates.

Fortra stated it ended access by taking the platform offline as soon as it discovered the breach. The present GoAnywhere platform is redesigned with extra system restrictions. The patch for the exploited vulnerability has been available since February 6, 2023. CHSPSC stated that it has applied extra security measures to strengthen the protection of the GoAnywhere platform.

All impacted persons will be provided free identity recovery and credit monitoring services for two years. Community Health Systems has additionally confirmed its coordination with law enforcement, the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) regarding the investigations.

The incident is not yet posted on the HHS’ Office for Civil Rights breach website therefore it is uncertain at the moment how many persons were affected.

Ransomware Attack at Codman Square Health Center

Codman Square Health Center based in Boston, MA, has reported that it encountered a ransomware attack last November 2022 allowing hackers to access the PHI of 10,161 present and past patients.

The health center detected the incident on November 28, 2022, and engaged third-party digital forensics professionals to look into the security breach and find out the nature and extent of the cyberattack. The investigation revealed that unauthorized persons acquired access to some areas of its system from November 23 to November 28. During this time, the attackers possibly viewed or took files that contain patient information.

Codman Square Health Center confirmed on January 25, 2023 that the compromised section of its network contained a folder with patient information. However, it cannot be determined if the unauthorized person got access to the folder. The following information was included in the files: names, dates of birth, addresses, medical record numbers, diagnoses, treatment data, and claims details.

The health center is sending notifications to affected persons and has taken steps to enhance privacy and security and avoid similar incidents in the future.

Community Health Center of Greater Dayton Reports Email Exposure

Community Health Center of Greater Dayton located in Ohio lately reported the exposure of the PHI of over 500 patients due to an email error. The health center sent an email to a business associate on February 2, 2023. The email message included a listing of patients’ dental consultations. The business associate was permitted to access that information; the problem was that the email wasn’t encrypted and someone might have intercepted it.

The list contained patient names, birth dates, medical record numbers, consultation dates/times, and a short explanation for booking the appointment. The possibility of data misuse is thought to be minimal, however, notification letters were sent notifying patients regarding the HIPAA breach. The health center also implemented additional safety measures and provided staff training on the proper way to send secure emails.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at