Recent PHI Disclosure Incidents Reported by HCA Healthcare, South Suburban Surgical Suites, edgeMED Healthcare, and Limbach Facility Services

Cyberattack Impacts 11 Million+ HCA Healthcare Patients

HCA Healthcare based in Nashville, TN, the biggest health system in America with over 180 hospitals and 2,300 healthcare facilities, reported the theft of protected health information (PHI) of patients by an unauthorized individual. Although there’s no confirmation yet of the total number of impacted persons, the breach is known to have impacted 11 million+ patients. This is the joint third-biggest healthcare data breach that is reported by a HIPAA-covered entity.

Biggest Healthcare Data Breaches

  1. Anthem Inc. – in 2015, 78,800,000 individuals were affected by Hacking/IT Incident
  2. American Medical Collection Agency – In 2019, 26,059,725 individuals were affected by Hacking/IT Incident
  3. HCA Healthcare – In 2023, 11,000,000+ individuals were affected by Hacking/IT Incident
  4. Premera Blue Cross – In 2015, 11,000,000 individuals were affected by Hacking/IT Incident
  5. Excellus Health Plan, Inc. – In 2015, 9,358,891 individuals were affected by Hacking/IT Incident

On July 10, 2023, HCA Healthcare reported that hackers had acquired access to an external storage location that was employed to instantly format emails including patient appointment reminders and emails notifying patients with regards to HCA Healthcare programs and services. Although the investigation into the incident is not yet finished, the breached data lists included 27 million rows of information, which stored the PHI of roughly 11 million patients who obtained care and services at HCA hospitals and doctors’ clinics located in 20 states in the U.S.

The breached data contained names, email addresses, addresses (city, state, zip code), telephone numbers, birth dates, gender, date(s) of service, location of service(s), and scheduled visit date. There was no compromise of clinical data, financial details, or Social Security numbers. The data is associated with people who acquired healthcare services in Alaska, Colorado, California, Florida, Georgia, Indiana, Idaho, Kansas, Kentucky, Louisiana, Mississippi, Missouri, New Hampshire, Nevada, North Carolina, Texas, Tennessee, South Carolina, Virginia, or Utah. The complete list of impacted facilities is posted by HCA Healthcare on this link.

HCA Healthcare stated the storage site was quickly deactivated when the breach was detected. The investigation into the attack was started with the help of third-party cybersecurity and digital forensics specialists. HCA Healthcare stated the incident did not affect patient care and that it isn’t expected to have any effect on its enterprise, operations, or financial outcomes. HCA Healthcare will send breach notification letters after determining the impacted persons and confirming their contact details. Free credit monitoring services are being provided to those impacted by the breach.

The person responsible for the attack posted the information for sale on a dark net website and told HCA Healthcare to satisfy its demands until July 10, 2023. It is uncertain whether the health system met the hacker’s demands. There was also no mention of the demands. HCA Healthcare affirmed in its first breach notice that an unknown and unauthorized party posted a listing of certain data regarding some of its patients on an online forum. The information was published on the internet on July 5, 2023. HCA Healthcare stated it did not receive any information on patient data misuse at this time.

Considering that highly sensitive data doesn’t seem to have been breached, persons impacted may not encounter an impending risk of identity theft or fraud; nonetheless, they could encounter phishing attacks or email/phone/SMS scams, thus they ought to exercise care, particularly with email file attachments, links in emails and SMS messages, and telephone calls where sensitive data is asked for.

HCA Healthcare mentioned it has a number of robust security tactics, systems, and protocols set up to help secure data and has a continuing training program for its fellow workers, doctors, vendors, and others to have an understanding of safe practices to help guarantee compliance and the safety of patient information.

Email Account Breach at South Suburban Surgical Suites

Surgical center South Suburban Surgical Suites based in Munster, IN reported a breach involving an old business email account hosted by Microsoft Office 365. The provider discovered the breach on April 3, 2023, and confirmed through investigation the account access occurred as a result of responding to a phishing email. The attacker accessed the account from February 20, 2023 to April 3, 2023. South Suburban Surgical Suites completed the review of the email account on June 5, 2023, and reported that there were 5,340 patients’ PHI kept in the account.

That breached data differed from one person to another and may have contained complete names along with addresses, birth dates, driver’s license/state ID numbers, Social Security numbers, passport numbers, credit card details and/or financial account data, medical record numbers, names of provider, dates of service,
diagnoses/procedure details, prescribed medications, medical insurance data, and/or billing and claims details.

South Suburban Surgical Suites offered free credit monitoring and identity protection services to persons who had their Social Security numbers exposed.

edgeMED Healthcare Reports Computer System Breach

The revenue cycle management and billing provider, edgeMED Healthcare, LLC based in Boca Raton, FL, has lately reported unauthorized access by an individual to its computer systems from May 20, 2023 to May 26, 2023. Access or theft of information may include names, rendering provider names, treatment codes, and a few other encounter data.

Upon discovery of the attack on May 26, 2023, access was promptly blocked. Impacted persons have already been informed concerning the breach and, during the issuance of notifications, there was no proof regarding the misuse of the compromised information. edgeMED Healthcare mentioned the enhancement of its security protocols with further security procedures.

The breach is not yet posted on the HHS’ Office for Civil Rights portal, therefore the number of affected individuals is still uncertain.

Email Error by Partnership Health Center

The healthcare clinic, Partnership Health Center (PHC), based in Missoula, MT reported the impermissible disclosure of a limited quantity of patient data because of an email error. The clinic sent a patient survey through email to learn about patient experiences; nevertheless, emails were unintentionally sent to the wrong persons.

An email supposed to be for one person was unintentionally sent to another person, who was a Partnership Health Center patient as well. The only data that was impermissibly disclosed was a person’s first and last name, and in certain cases, their middle initial. The email determined a patient as having gotten a medical service from Partnership Health Center from July 2022 to December 2022. The nature of that service wasn’t mentioned.

The breach report has been submitted to the HHS’ Office for Civil Rights indicating that 8,331 persons were affected.

Limbach Facility Services Reports of Employee Benefit Plan Data

The construction and engineering firm, Limbach Facility Services LLC, based in Warrendale, PA encountered a cyberattack that impacted the availability and operation of its computer system. The company discovered the security breach on April 23, 2023 and forensic investigation confirmed the unauthorized access by an individual to its network from April 19, 2023 to April 22, 2023. At that time, selected files on the system were viewed and extracted. Those files contained the PHI of 1,392 present and past Group Benefit Plan members. The breached data contained names, Social Security numbers, and limited medical insurance plan enrolment data.

The company put in place extra security measures to improve the security of the system and offered the impacted persons free credit monitoring and identity theft protection services.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone