Data Breaches Reported by PharMerica, MedMinder Systems, Absolute Dental Services and SouthCoast Medical Group

PharMerica Cyberattack Impacts 219,700 Patients

The pharmaceutical and infusion product company Amerita based in Kansas recently informed 219,707 people whose protected health information (PHI) was compromised in a cyberattack involving the computer system of Amerita and its parent corporation, PharMerica. Based on the breach notification letters, the company detected suspicious activity in its computer network on March 13, 2023. The forensic investigation stated that unauthorized persons got access to its system between March 12 and March 13, 2023. At that time, the attacker may have stolen files from its systems.

Amerita stated that the data possibly exposed in the incident contained names, addresses, health histories, diagnoses, prescription drugs, and medical insurance data. There was no evidence found that indicate the compromise of driver’s license numbers and Social Security numbers. PharMerica and Amerita have upgraded their technical security measures to avoid the same occurrences down the road.

Amerita’s notification letters did not mention the actual nature of the attack; nevertheless, it seems that the Money Message ransomware group carried out a ransomware attack. The Money Message group professed to have been responsible for the cyberattack and stated that it stole 4.7 terabytes of information. PharMerica submitted the data breach report to the HHS’ Office for Civil Rights in May 2023 indicating that 5,815,591 persons were impacted.

Cyberattack on MedMinder Systems, Inc. Last February 2023

Medication management and pharmacy solution provider MedMinder Systems, Inc. based in Massachusetts recently stated that the PHI of 12,146 persons was compromised and possibly stolen during a cyberattack in February 2023. The forensic investigation affirmed that an unauthorized entity got access to its system from February 7, 2023 to February 21, 2023.

The analysis of the files possibly viewed in the cyberattack was done on August 8, 2023. MedMinder systems sent notification letters to the impacted persons on September 1. The compromised information was restricted to names, birth dates, and prescription data. MedMinder stated its security system has been improved with sophisticated threat detection and tracking systems and that its procedures and internal controls will still be examined and upgraded to improve the privacy and security of private data.

Compromise of Absolute Dental Services Email Account

Dental laboratory Absolute Dental Services based in Durham, NC has encountered a security breach affecting the PHI of 10,037 patients of the dental practices it supports. The provider detected suspicious activity in the email account of an employee on February 21, 2023 and took immediate steps to keep the account safe. Absolute Dental Services launched an investigation to find out the nature and extent of the email account breach. On March 8, Absolute Dental Services reported that the incident only affected one account. Then, it hired a vendor to analyze the account to know which data was possibly accessed.

Absolute Dental Services confirmed in June that the account included the PHI of a number of patients, such as names, birth dates, service dates, full face pictures, doctor/medical facility details, medical problem/ treatment details, medical device identifiers, medical record numbers, medical diagnosis data, and DNA profiles. Impacted persons received notification on August 21, 2023. During the issuance of notification letters, there was no patient data misuse discovered.

SouthCoast Medical Group Investigating Cyberattack on its Network

SouthCoast Medical Group based in Georgia recently reported that unauthorized individuals accessed its information systems and exfiltrated files from its system. It detected suspicious activity within its IT system on June 18, 2023. The forensic investigation team confirmed that there was unauthorized access to its programs from June 15 to June 18, 2023. It is believed that the attacker did not access the electronic medical record system; however, files on the breached sections of its system included PHI like names, Social Security numbers, birth dates, addresses, telephone numbers, and data associated with the treatment, like dates of admission/discharge.

The data breach investigation is in progress and SouthCoast Medical Group still does not have the list or information of the affected patients. The group will be issuing notification letters after the completion of the process. Meanwhile, the breach report was sent to the HHS’ Office for Civil Rights with an indication that at least 501 people.

Cyberattack on Mountain View Family Practice in June 2023

Mountain View Family Practice located in Baldwinville, MA, has notified 5,139 concerning a cyberattack on its systems on June 11, 2023. The forensic investigation established that an unauthorized person got access to its programs from June 10 to June 11, 2023, and viewed and possibly stole certain information saved on its systems, such as names and Social Security numbers. The affected individuals received notifications to the impacted persons on August 31, 2023, and offers of identity theft protection and credit monitoring and services.

Hacking Incident at SightPath Medical and Sutter North Surgery Center

SightPath Medical based in Minneapolis, MN, a specialized laser and cataract machines provider, has reported that an unauthorized third party acquired access to its internal IT network and viewed a number of files that included the sensitive data of patients from Sutter North Surgery Center located in Yuba City, CA.

The healthcare provider detected the breach on February 9, 2023. The forensic investigation learned that the initial access to its systems was on February 2, 2023. SightPath Medical looked at all files possibly compromised and confirmed on June 14, 2023 the potential exposure of PHI including names and Social Security numbers. The provider still has to obtain up-to-date contact details in order to send the notification letters. SightPath Medical stated it has put in place extra safety measures to boost the security of its networks and has provided the impacted persons with free credit monitoring and identity theft protection services.

The HHS’ Office for Civil Rights breach portal has not yet published the incident at the time of this writing. The data breach report submitted to the Maine attorney general indicates that 813 individuals were affected.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone