Six Healthcare Providers Report Data Breach

Trinity Health based in Livonia, MI has reported that an unauthorized person acquired access to the email account of an employee and possibly viewed or obtained patient data. The provider detected suspicious account activity in the email on January 5, 2023. The investigation revealed that unauthorized email account access happened from December 16, 2022 to December 18, 2022.

An evaluation of the contents of the account was done on February 14, 2023. The data types in the account differed from one patient to another. Compromised data included names, health record numbers, patient ID numbers, encounter numbers, location(s) of service, names of providers and areas of expertise, procedure name(s), name/type of insurance, billing amounts, and birth dates. The address, telephone number, email address, and prescription data of some individuals were exposed.

Trinity Health altered the account password to stop more unauthorized access and assessed its guidelines and procedures. Because of the nature of the compromised data, Trinity Health is convinced that the possibility for misuse is minimal; nevertheless, impacted persons received a free membership to a credit monitoring and identity theft protection service for 12 months
.
Trinity Health has submitted the breach report to the HHS’ Office for Civil Rights indicating that 45,350 persons.

Email-Related Breach Affects Beaver Medical Group Patients

Beaver Medical Group and Epic Management located in California, a member of the Optum Group, have begun informing a number of patients about the compromise of an employee’s workstation because of responding to a phishing email. Though the attacker got access to the email account for a short period of time, it’s still possible for the stolen information to be viewed or copied. The forensic investigation came to the conclusion on February 3, 2023, that the compromised data included names, health plan details, member ID numbers, and premium payment amounts.

Beaver and Epic mentioned that it improved the security controls on their servers to stop comparable breaches later on. Monitoring was improved. Epic Management has reported the breach to the HHS’ Office for Civil Rights indicating that 1,190 persons were affected.

AllCare Plus Pharmacy Reports Summer 2022 Phishing Attack

AllCare Plus Pharmacy located in Northborough, MA recently sent a notification to the Maine Attorney General about a phishing attack that impacted 5,971 patients. AllCare Plus Pharmacy discovered a phishing campaign aimed at several employees on June 21, 2022. Immediate action was undertaken to take out the phishing email messages from its email platform and stop unauthorized access to the account; nevertheless, unauthorized individuals accessed a number of employee accounts.

Although there is no proof of patient data misuse identified, it is assumed that the attacker accessed or acquired the protected health information (PHI). The analysis of the impacted accounts revealed they included names, addresses, dates of birth, driver’s license numbers, Social Security numbers, other ID numbers, financial details, and limited health and medical insurance data associated with treatment and prescription medications.

AllCare Plus Pharmacy stated more security measures, internal controls, and safety measures were applied, and impacted persons were provided two years of credit monitoring services.

441,000-Record Data Breach at Alabama Healthcare Provider

Heart medical center Cardiovascular Associates based in Birmingham, AL lately reported that unauthorized persons acquired access to selected areas of its network from November 28, 2022 to December 5, 2022 and extracted files that contain patient data. The breach was discovered on December 5, 2022, and fast action was done to control the breach and stop more unauthorized access. A top-rated digital forensics company investigated the breach and affirmed the occurrence of data theft.

The analysis of the impacted files showed the inclusion of these types of data: Complete names, dates of birth, addresses, health insurance details, medical record numbers, dates of service, names of provider/facility, visit/procedure/diagnosis data, medical tests data and images, billing and claims details, Social Security numbers, driver’s license numbers, passport numbers, debit/credit card details, and financial account data. The types of information exposed differed from one patient to another. The usernames and passwords of some patients were likewise exposed.

Cardiovascular Associates has toughened network security to stop the same breaches later on and improved its security and monitoring functions. People who had their Social Security number, debit/credit card data, financial account details, driver’s license number, or passport number exposed were provided with complimentary credit monitoring and identity restoration services.

The data breach is not yet published on the HHS’ Office for Civil Rights breach website, however, the report is already submitted to the Maine Attorney General indicating that 441,640 persons were impacted.

Great Neck/Mid Island Dental Announces Third-Party Data Breach

Great Neck/Mid Island Dental with Richard T. Miller, DMD, PC lately announced through his lawyer that the PHI of 22,933 persons was viewed by unauthorized persons. The data breach happened at a law agency that assisted Great Neck Dental to get another dental practice’s assets in 2015. Cooperman Lester Miller Carus LLP (CLMC), assisted the seller with the purchase and was given data about the business deal, including patient data. Great Neck Dental was informed on October 7, 2022 about an unauthorized person who acquired access to the email account of a partner of CLMC from March 27, 2022 to June 1, 2022. The email account included patient names, birth dates, dental insurance data, and Social Security numbers.

Richard T. Miller stated Great Neck/Mid Island Dental systems were not impacted and there is no data misuse identified; nevertheless, as a safety measure, impacted persons were provided free identity protection services.

Records of 2,000 Clients Possibly Exposed in Multnomah County Health Department Break-in

The Multnomah County Health Department located in Oregon has reported that the personal data of about 2,000 persons were likely accessed in a break-in that occurred at the Multnomah County Health Department headquarters. During the weekend of February 17 to 18, 2023, the break-in happened and was identified on February 21 because of the President’s Day holiday.

The perpetrator stole the county’s laptop computer and a new client’s cellular phone. the perpetrator additionally viewed paper records with client information that were stored in an area. Law enforcement arrested the suspected criminal last week. The county health department notified all impacted clients and workers by mail.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone