Murfreesboro Medical Clinic & SurgiCenter (MMC) in Tennessee has recently confirmed that the protected health information of more than half a million patients was compromised in what it describes as “a series of attacks on our network and IT systems,” which were discovered on or around April 24, 2023.
An investigation was launched after securing its network, and it was confirmed that a “well-known cyber extortion operation” was behind the attack and gained access to the network on or around April 22, 2023. The group was not named by MMC, but it appears to be the BianLian threat group.
MMC said it was unable to determine whether files were accessed or removed from its network; however, the parts of the network that were accessed contained files that included the protected health information of 559,000 patients. The information potentially accessed or stolen included full names, dates of birth, home addresses, phone numbers, copies of driver’s licenses, full or partial social security numbers, dependent information, dates of service, medical and diagnostic information related to those dates of service, test results, procedure notes, prescription information, medical record numbers, and insurance and enrolment information.
MMC said it rebuilt its network and has implemented advanced security features to prevent similar breaches in the future, and said the attack appeared not to have resulted in any loss of data. As a precaution against identity theft and fraud, affected individuals have been offered 24 months of complimentary credit monitoring services.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
PHI of More Than 24,000 Mount Desert Island Hospital Patients Exposed
Mount Desert Island Hospital in Bar Harbor, ME, has issued a statement about a security incident that was detected on May 4, 2023. An investigation was launched when suspicious activity was detected in its computer systems, which confirmed certain parts of its network had been accessed by unauthorized individuals between April 28, 2023, and May 7, 2023.
A review of all files on the compromised parts of the network confirmed that protected health information had been exposed, including names, addresses, birth dates, driver’s license/state identification numbers, Social Security numbers, financial account information, medical record numbers, Medicare or Medicaid identification numbers, mental or physical treatment/condition information, diagnosis codes/information, dates of service, admission/discharge dates, prescription information, billing/claims information, personal representative/guardian names, and health insurance information.
Third-party security specialists were engaged to re-secure its network and implemented additional security precautions, and a review has been conducted of its data protection policies and procedures. Complimentary credit monitoring services have been offered to the 24,180 affected individuals.
ARx Patient Solutions Reports Email Account Breach from 2022
The Kansas-based healthcare provider, ARx Patient Solutions, has recently notified the Maine Attorney General about a security breach that has affected 41,116 individuals, including individuals who used the ARx Patient Solutions Pharmacy.
In March 2022, an unauthorized individual accessed the email account of an employee. A third-party cybersecurity firm was engaged to investigate the breach and determined that the following types of information had been exposed: first name, last name, prescription information, patient account number, health insurance account member number, health insurance group number, doctor’s name, and in some limited cases, Social Security number. Many of the individuals affected were minors.
The investigation, which included dark web monitoring, has not identified any evidence of misuse of the exposed data. ARx Patient Solutions said it has strengthened system security by implementing XDR threat monitoring systems, proactive vulnerability management programs, active system scanning solutions, and has made significant investments in its Security Operations department. Affected individuals were notified on June 30, 2023, and have been offered a one-year membership to an identity theft monitoring service.
City of San Luis Reports Email Breach Affecting 6,848 Individuals
The City of San Luis in Arizona has discovered unauthorized access to an employee’s email account that contained the protected health information of 6,848 individuals. Suspicious activity was detected in the email account on March 7, 2023, and the forensic investigation confirmed the account was accessed without authorization between February 1, 2023, and February 23, 2023. The review of the emails and attachments was completed on May 4, 2023, then contact information was verified to allow notification letters to be sent. Affected individuals had one or more of the following exposed: name, address, driver’s license number, health insurance information, medical information, date of birth, and Social Security number.
Arizona Medicaid Agency Reports Exposure of Medicaid Recipients’ PHI
The Arizona state Medicaid agency, Arizona Health Care Cost Containment System (AHCCCS), has confirmed that 2,632 Medicaid recipients have had some of their protected health information exposed. On May 11, 2023, a vulnerability was identified in the HEAplus system toolbar on the e-Arizona website, which allowed sensitive information to be accessed. The information exposed was limited to first and last names, addresses, and the last four digits of Social Security numbers. AHCCCS has made security updates that it says will prevent similar breaches from occurring again and notified the affected individuals by mail on July 3, 2023.
Vitality Group Suffers MOVEit Data Breach
Vitality Group, a Chicago, IL-based behavioral engagement platform provider, suffered a data breach on May 30, 2023, when hackers exploited a zero-day vulnerability in the MOVEit file transfer solution. The breach was detected by its IT security staff on June 1, 2023, and steps were immediately taken to prevent further unauthorized access; however, during a 2-hour time span, hackers had access to the server where the MOVEit application was installed and potentially stole sensitive data such as names, mailing addresses, dates of birth, email addresses, and Social Security numbers.
Vitality Group is offering two years of complimentary credit monitoring and identity theft protection services to individuals who had their Social Security numbers exposed. It is currently unclear how many of its clients were affected, but one of those is known to be the Los Angeles, CA-based AltaMed Health Services Corporation.