Valle del Sol Community, Legacy Post Acute Care, and Berkshire Farm Center & Services for Youth Health Patients Impacted by Cyberattack

Valle del Sol Community Health based in Phoenix, AZ has informed 70,268 patients about the exposure of some of their protected health information (PHI). Valle de Sol’s notification letters didn’t say when the attackers acquired access to its system or the length of time they got access. However, it confirmed the discovery of the unauthorized activity on January 25, 2022.

Valle del Sol promptly secured its system to block unauthorized access. A third-party cybersecurity agency investigated the breach to find out whether patient information was viewed. Valle de Sol stated the investigation revealed that unauthorized people got access to files that contain sensitive patient information and that patient data might have been obtained. An extensive analysis was done of all files that could have been viewed, which was finished on July 18, 2022.

The late sending of breach notification letters was because of the long period of investigation, and the verification of updated contact details. The verification of contacts’ addresses ended on September 1, 2022. Valle de Sol mentioned in its website notification dated October 5, 2022 about the plans to alert impacted persons. Steps were also taken to reinforce security to avoid the same incidents later on. Valle De Sol stated it has not gotten any information from patients about any misuse of their information.

The exposed data involved names, birth dates, driver’s license numbers, Social Security numbers, clinical/diagnosis data, medical insurance member ID numbers, Medicare or Medicaid numbers, and medical record numbers. Valle de Sol didn’t seem to offer free credit monitoring and identity theft protection services to impacted persons.

Legacy Post Acute Care Reports Employee Email Accounts Breach

Legacy Post Acute Care based in Martinez, CA has just reported unauthorized access to multiple employee email accounts. An unauthorized person, potentially viewed or obtained the PHI of a number of patients.

Legacy Post Acute Care mentioned in its breach notification letters that it launched an investigation after detecting suspicious activity in its email account. The investigation established on September 12, 2022, the compromise of several employee email accounts from January 19, 2022 to March 3, 2022.

The analysis of emails and attachments showed that these types of data were compromised: full names, together with at least one of these data elements: birth date, state ID number, Social Security number, driver’s license number, financial data, clinical/treatment Data, medical insurance provider, medical insurance member ID/group number, medical provider name, patient account number, medical record number, and prescription details.

Legacy Post Acute Care stated there was no evidence found that suggests the misuse of patient details; nevertheless, to protect against identity theft and fraud, impacted persons received free memberships to a credit monitoring and identity theft protection service for 12 months. The incident report is not yet posted on the HHS’ Office for Civil Rights breach website, hence, the number of persons impacted is still uncertain.

Berkshire Farm Center & Services for Youth Reports Data Breach

Berkshire Farm Center & Services for Youth based in Canaan, NY has reported that an unauthorized third party acquired access to some servers and possibly viewed or acquired files that contain PHI. After the provider detected the breach on July 15, 2022, it quickly secured its systems, and launched an investigation to find out the nature and extent of the breach. The analysis of the impacted files is in progress.

Berkshire additionally reported that on or about August 9, 2022, it was confirmed that an unauthorized individual accessed the employee’s email account. It is uncertain whether there’s a connection between the two incidents. Berkshire stated the analysis of the email account showed it included the names of 951 persons and data associated with the treatment given. There is no evidence found that suggests the theft of data or misuse of data.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone