Reports of Cyberattack by Cook County Health, AIDS Alabama, Ortho Alaska and Bluegrass Care Navigators

Cook County Health Patients Impacted by a Cyberattack on a Medical Transcription Company

Business associates, Perry Johnson & Associates, Inc., (PJ&A) informed Cook County Health, which manages Provident Hospital and John H. Stroger, Jr. Hospital in Chicago, IL, about the potential compromise of its patient data in a cyberattack. PJ&A as a medical transcription services provider of Cook County Health got access to patients’ protected health information (PHI). On July 21, 2023, PJ&A informed Cook County Health about its investigation of a cyberattack. On July 26, 2023, it was confirmed that the personal data of Cook County Health patients was held on the breached parts of its system.

The forensic investigation revealed the systems that stored the patient data were accessed by an unauthorized third party in April 2023. It’s already two months since Cook County Health knew about the attack, but PJ&A still has not given a final listing of the impacted patients and the breached information. No notification letter has been mailed yet. Cook County Health stated the data likely exposed in the attack will include names along with at least one of these data elements: birth date, address, encounter number, medical record number, medical data,
dates/times of service, and, in certain instances, Social Security number.

Cook County Health stated its lawyer is working hard to get the final listing of patients from PJ&A and will mail the notification letters as soon as the listing is provided. Free credit monitoring and identity protection services will be provided to the impacted persons. Cook County Health stated it discontinued sharing information with PJ&A when it discovered the data breach and ended its business associate agreement with PJ&A. A breach report was submitted to the HHS’ Office for Civil Rights indicating that at least 500 persons were affected to meet the breach notification requirements and will update when the final patient listing is available.

10-Month Breach Discovered at AIDS Alabama

The social services organization, AIDS Alabama, Inc. based in Birmingham, AL found out that an unauthorized third party viewed its system. An independent digital forensics company was hired to check out the security breach and confirmed the access to its network by an unauthorized third party from October 11, 2021 to August 9, 2022. At that time, sensitive information could have been accessed or stolen.

On August 14, 2023, AIDS Alabama confirmed the potential compromise of information such as full names, addresses, medical diagnoses, doctor names, medical insurance data, Social Security numbers, email addresses, and the health services received. The breach report recently submitted to the HHS Office for Civil Rights indicates that 1,922 individuals were affected.

Mailing of notification letters to the impacted persons began on September 22, 2023. AIDS Alabama stated it is focused on protecting the privacy of personal data it keeps and has taken extra safety measures to protect it and will go on to assess and alter its procedures to improve the privacy and protection of personal data.

Gillette Children’s Specialty Healthcare Impacted by MOVEit Hack at Business Associate

Gillette Children’s Specialty Healthcare has lately stated that the PHI of 542 patients was exposed during the mass hacking of a zero-day vulnerability in the MOVEit Transfer application by Progress Software in May 2023. Its business associate, Nuance Communications, used the file transfer application for exchanging data like MRIs, X-rays, and other medical pictures.

Although the attack took place in May, Gillette Children’s Specialty Healthcare was advised concerning the attack on August 7, 2023. The data compromised during the attack contained names, services offered, dates of service, practitioner names, names of facilities, and medical record numbers for certain patients.

Data Breach Impacts 176,200 Ortho Alaska Patients

OrthoAlaska has submitted a data breach report to the HHS’ Office for Civil Rights (OCR) indicating that 176,203 patients were impacted. Currently, not much is known regarding the data breach except for it being a hacking/IT incident whereby patient data was compromised or stolen. the OrthoAlaska website did not mention anything about the data breach thus far.

The exposure of data could possibly be connected to a data breach at OrthoAlaska in October 2022 that compromised the data of past employees. It was confirmed on March 3, 2023 that employee data was compromised. Notifications were sent on April 3, 2023.

PHI of Physical Therapy Patients in New York Exposed Due to a Cyberattack

The PHI of patients of Dr. Patty DiBlasio, Physio Logic Chiropractic and Physical Therapy, and Physio Logic Medicine were compromised in a cyberattack. The healthcare provider discovered the cyberattack on July 31, 2023 and launched a comprehensive investigation to find out the nature and extent of the cyberattack. The investigation showed that an unauthorized third party accessed just one server from July 2, 2023 to August 4, 2023. On September 14, 2023, access to PHI, such as names, addresses, birth dates, driver’s license numbers, state ID numbers, diagnoses, treatment data, medical insurance data, and payment card details, was confirmed.

The healthcare provider mailed notifications to the 9,580 people who were impacted by the breach. The delay in sending notification letters was because of the time it took to know and validate address details. Additional technical safety measures are being enforced and policies and procedures are being evaluated for further updates to enhance data security.

Email Account of Bluegrass Care Navigators Compromised

Hospice of the Bluegrass, Inc. based in Kentucky, doing business as Bluegrass Care Navigators, has found out that an unauthorized third party has acquired access to an employee’s email account. The unauthorized access was discovered on July 31, 2023, and after protecting the email account, third-party digital forensics professionals were involved to find out the scope of the data breach.

The investigation affirmed that the attacker viewed three files that included the PHI of 6,814 patients. The breached information only included names, dates of birth, and addresses. No medical data was viewed or stolen during the attack. Bluegrass Care Navigators mailed notification letters to the impacted persons and implemented extra safety measures to its email system.

Cyberattack on Mosaic Mental Health in July 2023

Riverdale Mental Health, dba Mosaic Mental Health based in New York City, has lately announced a cyberattack that was uncovered on July 27, 2023. Based on the forensic investigation, an unauthorized third party accessed sections of its computer systems that included patient data.

The data possibly breached in the attack contained names, addresses, birth dates, Social Security numbers, medical plan details, diagnosis codes, and clinical information including medical records requests, procedure codes, progress notes, and evaluations. Although data was compromised, there was no misuse of patient data identified. Mosaic Mental Health stated administrator credentials were modified and additional steps are being taken to improve network protection. The breach report was recently submitted to the HHS’ Office for Civil Rights indicating that 7,281 individuals were affected.