Roundup of Recent Cyberattack and Data Breaches

37,000 Health Plan Members Affected by SundaySky Cyberattack

SundaySky based in New York provides businesses with software solutions for producing marketing videos. It recently reported that unauthorized persons acquired access to the servers in its cloud storage and possibly stole customer information. SundaySky detected unauthorized access on January 8, 2023, and had the forensic investigation team confirm that file extraction occurred from January 6 to January 8, 2023. The affected files included data provided by health plan clients between December 2018 and January 2019.

SundaySky, together with the health plan company, worked on identifying the affected data. The review was accomplished on February 20, 2023. The 37,095 impacted individuals have received the notifications. The following are the types of data exposed: first names, Healthcare Savings Account (HSA) effective date and deductible, personal email addresses, and data associated with a copay. SundaySky stated that it has implemented additional technical safety measures for its cloud storage to stop identical breaches later on.

Patient Names Impermissibly Disclosed by Postal Prescription Service to Kroger

Healthy Options Inc., also doing business as Postal Prescription Service (PPS), has reported an impermissible disclosure of some patient data to its affiliated grocery enterprise. On January 10, 2023, PPS found out that 82,466 individuals’ names and email addresses were disclosed to Kroger Co.. The information was used to make grocery accounts for those persons. The impacted persons had signed up for an online PPS account from July 2014 to January 13, 2023.

PPS stated the impermissible disclosure was because of an internal error. Since that incident, the company has updated its website to deal with the problem. Impacted persons were informed through mail.

Texas Medical Liability Trust Notifies Policyholders Concerning PHI Breach

Texas Medical Liability Trust lately advised 625 of its medical insurance policyholders about the exposure of some of their personally identifiable information (PII). It detected suspicious system activity on or about October 12, 2022, and confirmed through investigation that unauthorized persons accessed some areas of its system from October 2, 2022 to October 13, 2022.

The analysis of the compromised files was concluded on December 12, 2022. The impacted persons received notifications on January 13, 2023 from Texas Medical Liability Trust, representing itself and its affiliates, Physicians Insurance Company, Texas Medical Insurance Company, and Lone Star Alliance, Inc.

The compromised data included names, driver’s license numbers, Social Security numbers, and financial account details. Texas Medical Liability Trust stated that it has implemented extra safety measures and further trained its employees. Impacted persons received offers of free credit monitoring services for one year.

Business Associate Ransomware Attack Affects Patients of Associates in Dermatology

Associates in Dermatology, a group of dermatology clinics across Kentucky, Indiana, and New York, has begun informing patients about the exposure of some of their protected health information (PHI) due to a ransomware attack on Virtual Private Network (VPN) Solutions, its business associate.

VPN Solutions provides healthcare providers with electronic medical record management services. Associates in Dermatology utilized its TouchChart software program to hold patient information. VPN Solutions detected the ransomware attack on or about October 31, 2021, and informed Associates in Dermatology on December 22, 2021 stating that its data was not viewed or stolen during the attack. Nevertheless, the forensic investigation into the incident was in progress.

Associates in Dermatology stated that it reached out to VPN Solutions several times to inquire about the progress of the forensic investigation and to get an official report concerning the attack, however, it only discovered the exposure of patient data on January 17, 2023, that is, 15 months following the discovery of the breach, and 2 months after confirming the exposure of the files by VPN Solutions.

Based on the breach notice, there was no exposure of the electronic medical records. However, tag image files from a data storage facility may have been acquired during the attack. The majority of those files did not include patient information, yet VPN Solutions stated a number of the files might be associated with patient names. Associates in Dermatology mentioned VPN Solutions failed to confirm whether PII or PHI was included in the documents and failed to give a listing of patient names.

Associates in Dermatology stated its own analysis confirmed on March 10, 2023, that the exposed files possibly contained PII. The types of data were different from one patient to another and might have contained one and up of these data elements: first and last name, Social Security number, address, birth date, health condition(s)/diagnosis, treatment details, laboratory test data, medical insurance policy number, subscriber ID number, unique AID patient identifiers, and health plan beneficiary number.

Associates in Dermatology stated VPN Solutions has improved security and has recreated its whole environment and recovered all information. Associates in Dermatology conducted an analysis of its agreements with third-party providers and evaluated their cybersecurity procedures and has given victims free credit monitoring and identity theft protection services.

The breach is not yet posted on the HHS’ Office for Civil Rights breach website therefore it is presently uncertain how many persons were impacted.

47,000 Special Needs Student Data Compromised On the Web

A non-password-secured database that contains the data of over 47,000 special needs students were compromised online and can be viewed by any person with no need for authentication. Security researcher Jeremiah Fowler found the database in the middle of February. He tracked the database to a firm known as Encore Support Services. Encore Support Services is based in Brooklyn, NY, and provides behavioral health, special education, and related services. Fowler advised Encore Support Services concerning the data breach and the database is already secured.

As per Fowler, the 6.74 GB database held information dating back to 2018 and contained invoices with student names, parent names, addresses, Open Student Information System (OSIS) numbers, names of service providers, vendor details, EIN/SSN tax ID, and billing hours. The invoices additionally contained codes that indicated disability services.

The data can be utilized for a variety of nefarious functions. For example, Encore Support Services may be impersonated and parents called and requested to disclose sensitive data or pay a small fee on their credit card. Because a threat actor is going to have access to case numbers, students’ unique OSIS numbers, and therapy records, the requests will appear genuine.

Fowler could not establish the duration of the database exposure and if unauthorized individuals accessed it. However, it seems that the database was not exposed for a long time since ransomware was not used for encryption or deleting information for extortion purposes.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at