Cyberattack Impacts Over 100,000 Individuals

December 10, 2023 Christine Garcia HIPAA News

Longhorn Imaging Center Data Breach

South Austin Health Imaging LLC, dba Longhorn Imaging Center based in Austin, TX, has just reported a case of hacking to the HHS’ Office for Civil Rights indicating that 100,643 patients were affected. As per the breach notice sent to the Texas Attorney General, the breached data included complete names, addresses, birth dates, health data, and medical insurance data. Notification letters are currently being mailed to the impacted persons.

At this time, no substitute breach notice is posted on the website of the Longhorn Imaging Center. There is also no confirmation yet regarding what happened, including when the attack happened and when it was discovered; nevertheless, the attack seems to have been carried out by the SiegedSec threat group, which is the group responsible for attacking the Idaho National Laboratory recently.

At the beginning of June, the group included Longhorn Imaging Center to its data leak website and stated it had extracted data that contained doctor complete names, patient complete names, patient treatment information, patient birth date, patient gender, name of institution, treatment date, etc.

Data Breach at Woodfords Family Services

Woodfords Family Services based in Westbrook, ME offers services to families and individuals with special needs. It just submitted a data breach report to the HHS’ Office for Civil Rights indicating that 6,691 individuals were affected.

Based on its substitute breach notification, Woodfords Family Services started a forensic investigation that confirmed the unauthorized acess of the mhdc procedure by a third party on or about June 19, 2023. Files made up of some personal data might have been taken out of its system. The document analysis confirmed that the files contained full names along with at least one of these: address, email address, birth date, telephone number, driver’s license number, Social Security number, government-issued ID number, medical record number, full face picture, passport number, certificate/license number, unique identifier, financial account data, credit/debit card details, healthcare treatment/diagnosis data, and/or medical insurance policy data.

Impacted people received the breach notification on November 10, 2023. Woodfords Family Services offered free credit monitoring services to persons who had their Social Security numbers exposed.

Data Breach at Prestige Care

Prestige Care/Prestige Senior Living in Washington has reported that it encountered a cyberattack that was discovered on or about September 7, 2023, that resulted in the infection of its network by malware that made certain files inaccessible. The investigation revealed that the unauthorized person viewed files on its network on the day the breach was discovered.

The healthcare provider is still investigating and reviewing files, and the total number of persons impacted is not yet certain, though Prestige confirmed the compromise of the data of present and past employees and residents in the attack. The affected data differs from one person to another and likely includes names, birth dates, healthcare data, Social Security numbers, and medical insurance data. Prestige will send notification letters to the impacted persons when the review is finished. To satisfy the breach reporting requirements of HIPAA, the incident report was submitted to the HHS’ Office for Civil Rights indicating that at least 501 persons were affected. The total will be reported as soon as the review is done.

It was earlier reported that the ALPHV/BlackCat ransomware group professed to be responsible for the attack. The group added Prestige to its data leak website and stated that it stole 260 GB of data. Although the listing remains posted on the leak site, no data is currently downloadable.

WellLife Network Inc. Data Breach

Behavioral health services provider, WellLife Network Inc., based in New York, has just released an interim notification concerning a cyberattack that was discovered on September 7, 2023. Third-party cybersecurity experts investigated the unauthorized network access and stated that an unauthorized third party viewed its system from August 26, 2023 to September 7, 2023, and had seen and/or duplicated files with patient data.

The WellLife Network has started a manual and automatic review of the affected files to determine the breached data and the number of persons impacted. That analysis is in progress, however, it appears that the types of information impacted include name, birth date, demographic information and/or other personal or health data. The company is going to send breach notification letters to the affected persons as soon as the review is finished. To satisfy the HIPAA requirements of breach reporting, the incident report was submitted to the HHS’ Office for Civil Rights indicating that about 501 persons were affected. The total number will be released as soon as the review is finished.

Data Breach at Frederiksted Health Care

Healthcare provider Frederiksted Health Care, Inc. in the St. Croix community located in the U.S. Virgin Islands, informed the local media at the end of October that it had encountered a cyberattack. The provider took immediate steps to keep its systems secure and started an investigation to find out the nature and extent of the breach. Local media specialists believe the incident was a ransomware attack. The healthcare data breach report submitted to the HHS Office for Civil Rights indicates that 600 people were affected.

Data Breach at Medical University of South Carolina

The Medical University of South Carolina (SUMC) in Charleston was impacted by a data breach that occurred in a third-party vendor. Westat gathers information from SUMC patients as required by the Centers for Disease Control and Prevention (CDC) for purposes of public health reporting. Westat employed the MOVEit Transfer file transfer solution by Progress Software. The Clop hacking group exploited a zero-day vulnerability from May 28 to May 29, 2023. Westat has submitted its breach report to the HHS’ Office for Civil Rights in two different reports, one impacting 50,065 people and a second impacting 20,045. The SUMC breach report indicated that the breach affected 1,758 people and stated it affected names, addresses, birth dates, names of providers, diagnoses, and insurance data.

Data Breach at CareTree

CareTree Inc. based in Chicago, IL provides smart care management and patient advocate software to healthcare providers. It recently reported unauthorized access to its CareTree platform after detecting suspicious activity in its platform on or about August 16, 2023. It was confirmed by the forensic investigation that hackers gained access to the platform on July 21, 2023.

The analysis of the compromised files revealed that they included the data of 1,097 CareTree patients; nevertheless, CareTree cannot confirm the exact data compromised for each patient since the data is not available anymore. The types of data possibly exposed included names, addresses, Social Security numbers, driver’s license numbers, financial account data, birth dates, medical data such as diagnosis, laboratory test results, medications or other treatment data and/or medical insurance details. In CareTree’s substitute breach notice, it was mentioned that CareTree will send notifications to all persons who had their data affected, together with data and steps that affected individuals can take to better secure their data.

About Christine Garcia 1300 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA
Twitter