PHI Potentially Compromised at United Healthcare, Ethan Health, McLaren Greater Lansing and 4 More Healthcare Providers

Credential Stuffing Attack Exposed United HealthCare Member Information

United HealthCare (UHC) has begun informing a number of members about the potential disclosure of some of their protected health information (PHI) to unauthorized persons due to credential stuffing attacks carried out on the UHC mobile app. In credential stuffing attacks, the username and password combinations acquired in a breach that occurred at one platform are employed to get access to accounts created on a not related platform. These attacks succeed because people reuse usernames and passwords on several platforms.

The accounts that were accessed without authorization included data like names, dates of birth, addresses, medical insurance member ID numbers, provider names, service dates, claim information, and group names and numbers. There was no financial data, Social Security number, or driver’s license numbers compromised.

The attacks happened from February 19 to February 25, 2023. UHC deactivated its portal right away upon discovery of the attacks to stop further unauthorized access and performed a password reset. The investigation did not find any evidence that suggests the theft of credentials during the cyberattack on UHC systems. UHC provided the affected persons with free two-year credit protection services.

Email Account Breach at Ethan Health

Medical laboratory Ethan Health based in Richmond, KY just confirmed that the PHI of 4,047 persons was contained in employee email accounts that had been accessed by unauthorized persons. The laboratory detected suspicious activity within its email accounts on August 31, 2022. As per the forensic investigation, the accounts had been accessed from May 5, 2022 to September 8, 2022. The investigation and the review of the email accounts took 7 months to complete on March 9, 2023.

The data in the accounts differed from one person to another. The following data may have been included: names, birth dates, driver’s license numbers, credit or debit card data, financial account details, medical data, and medical insurance data. Impacted persons were provided free credit monitoring services for two years. Extra security measures were put in place to avoid the same incidents down the road.

Hospital Records Exposed at McLaren Greater Lansing

Laren Greater Lansing Hospital based in Michigan left boxes of private medical documents in a decommissioned hospital, where unauthorized individuals could have potentially accessed the records. Someone who joined a preview of the campus discovered the records on April 19, 2023, before the auction. The individual who discovered the records stated the files contained sensitive data including names, addresses, telephone numbers, and medical data. The number of persons affected by the data breach is presently uncertain.

McLaren Greater Lansing Hospital stated the records were meant to be safely destroyed but someone accessed them before the process pushed through. The incident was investigated to find out how the whistleblower was able to get access to the files. The hospital has affirmed that it is reverifying that all documents that will be destroyed are secured to avoid unauthorized access.

Ransomware Attack at NYSARC Columbia County Chapter in July 2022

NYSARC Columbia County Chapter (COARC) has begun informing selected persons about the potential access and theft of some of their PHI by unauthorized individuals as a result of a July 2022 ransomware attack. Based on the breach notifications, COARC detected suspicious activity in its system on July 19, 2022, that seemed to be due to a ransomware attack. It took steps right away to control the incident and launched an investigation, which proved that the attacker accessed selected COARC systems for a period of time in July.

The sole intention of the attacker for encrypting data seems to be extortion. It is unknown whether data exfiltration happened however it cannot be excluded. COARC didn’t mention if it paid the ransom. The types of data affected by the attack included names and at least one of this information: address, Social Security number, credit card details, financial account details, medical data, student data, passport number, and driver’s license. There is no proof found that indicates the misuse of that data from the past 9 months since the discovery of the breach until the issuance of notifications on April 28, 2023. COARC stated it implemented extra security procedures to better secure its network, email accounts, and other systems from attacks in the future.

Network Security Incident at Petaluma Health Center

Petaluma Health Center (PHC) located in California has just affirmed that an unauthorized entity obtained access to its system and possibly stole patient data. PHC stated it detected a network security incident on March 14, 2023, however, it didn’t make known any other information about the nature of the incident, for instance, if it was a ransomware attack or the duration the network was accessed.

PHC stated that the data managed by the payroll and human resources department was likely accessed, though there is no proof of data misuse found. The data exposed in the attack contained at least one of these: complete name, address, driver’s license number, Social Security number, passport number, birth date, and/or medical insurance plan details.

PHC stated it is checking and improving technical safety measures to stop the same incidents later on and impacted persons were provided single-bureau credit monitoring services for free. It reported the breach to the California Attorney General however the information is not yet available on the HHS’ Office for Civil Rights breach website. Therefore, the number of affected persons is still uncertain.

9,457 Individuals Affected by Health Plan Services Malware Infection

Health Plan Services Inc based in Tampa, FL, a technology-based services provider to health plans, has discovered malware on its system that potentially enabled unauthorized persons to view and obtain files that contain the PHI of 9,457 persons.

Based on the notification letter submitted to the California Attorney General, the health plan detected malware infection on June 23, 2022. The forensic investigation lasted 8 months ending on February 28, 2023. The audit of documents concluded on March 21, 2023. Health Plan Services issued notification letters on or about April 28, 2023.

The breach affected the names, personal data, and Social Security numbers of client members. The notifications sent to affected individuals state the specific types of data that were exposed/stolen. The affected individuals received identity theft protection services. The provider also reviewed and improved its security practices and provided extra training to its employees.

8-Month System Compromise at Mars Area School District

Unauthorized persons acquired access to the network of Pennsylvania-based Mars Area School District from January 27, 2022 to September 26, 2022. The hacker potentially acquired the personal data and PHI of up to 1,270 persons. The breach notifications did not say when the school district detected the intrusion. However, the notifications mentioned that the long forensic investigation and manual document audit delayed the sending of notifications by almost 6 months. The exposure of sensitive data was confirmed on March 30, 2023 and notifications were sent via mail to impacted persons on April 24, 2023.

The school district stated that the potentially accessed information included the names along with at least one of these data types: Social Security number, state ID number, driver’s license number, medical insurance data, medical details, username/password, and financial account details. Free credit monitoring services were provided to those who had their Social Security numbers exposed.

Mars already reviewed and updated its practices and internal controls to strengthen the security and protection of personal data. Passwords were updated and email access protocols were strengthened.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at