Cyberattack Reported by Oak Valley Hospital, DMS Health Technologies, and Jordan Valley Community Health Center

284K Oak Valley Hospital District Patients Affected By Cyberattack

Oak Valley Hospital District in Oakdale, CA, has recently informed 283,629 patients concerning the exposure of their sensitive information due to a cybersecurity incident. The hospital detected suspicious activity within its IT systems on July 18, 2023. It was confirmed by the following forensic investigation that an unauthorized third party acquired access to its systems between April 21, 2023, and  July 18, 2023. At that time, the attacker potentially viewed or stole the files used for billing and treatment.

The files included protected health information (PHI) like names, medical insurance data, Social Security numbers, and data associated with the care given. Those whose Social Security numbers were exposed received offers of free identity theft protection and credit monitoring services. Oak Valley Hospital District stated it has improved its security system and will review and improve its security protocols to avoid other data breaches.

Cyberattack on DMS Health Technologies Impacts Mountrail County Medical Center

Mountrail County Medical Center located in Stanley, ND was impacted by a cybersecurity incident that happened at DMS Health Technologies, its imaging vendor. DMS detected suspicious activity inside its computer system on April 23, 2023.

Based on the forensic investigation,  unauthorized persons got access to its system for one month from March 27 to April 24, 2023. At that time, files with PHI were potentially viewed or stolen. The data in the files differed from one person to another and may have contained names, birth dates, dates of service, doctors’ names, and types of exams. DMS stated extra administrative and technical safety measures are being put in place to better protect its network.

Cyberattack on Jordan Valley Community Health Center

On August 9, 2023, Jordan Valley Community Health Center located in Springfield, MO detected suspicious activity within its computer network. The health center launched a forensic investigation to find out the nature and extent of the incident, which confirmed unauthorized persons acquired access to its network from March 9, 2023 to June 22, 2023. At that time, files that contain patient data could have been accessed or stolen. The impacted files included these types of data: name, address, email address, date of birth, and race.

Jordan Valley Community Health Center stated all the print and digital material that had been stolen were recovered and destroyed. Secured affidavits confirm that no copies of the stolen information were made. A representative of the health center mentioned that the core values and present endeavors of Jordan Valley is to improve the quality of patient care and convenience. The health center also restricted access to data without a business need, in order to avoid this from happening again. The company sent notification letters to impacted persons on September 15. The HHS’ Office for Civil Rights has been notified, however, the incident is still not posted on the OCR breach website, so it is presently uncertain how many people were affected.

WVU Medicine, Erlanger Health, and Arkansas Total Care – New Confirmed Victims of MOVEit Transfer Hacks

WVU Medicine (Nuance Communications)

WVU Medicine based in West Virginia, an advanced heart, thoracic, vascular, cancer, neurological, and pediatric care provider and a Nuance Communications clients, has recently reported that it was impacted by the zero-day vulnerability exploitation in Progress Software’s MOVEit Transfer solution from May 28 to May 29, 2023. Nuance Communications received notification concerning the vulnerability by Progress Software and started an investigation to find out whether the vulnerability was exploited, and confirmed on July 11, 2023, that the information of WVU Medicine patients was stolen. WVU Medicine was informed regarding the breach on August 1, 2023, and Nuance released notification letters to the impacted persons on September 19, 2023. The breached data contained names of patients, practitioners, medical care facilities, and descriptions and dates of services offered.

Erlanger Health (Nuance Communications)

Erlanger Health, Inc. based in Tennessee was likewise impacted by the MOVEit attack at Nuance Communications. The compromised files contained the PHI of 2,753 individuals who had recently acquired radiology or imaging services. The breached data only included names, services received, dates of service, and internal medical record numbers. Nuance Communications informed Erlanger Health concerning the breach on August 2, 2023, and mailed notification letters to the impacted patients in the middle of September.

Arkansas Total Care (Ricoh USA)

Member data of Arkansas Total Care was exfiltrated from Ricoh USA, Inc. after the exploitation of the MOVEit Transfer vulnerability. Ricoh advised Arkansas Total Care regarding the data breach on July 26, 2023. The breached data contained names, dates of birth, Social Security numbers, and some healthcare data. The breach report was recently submitted to the HHS’ Office for Civil Rights indicating that 578 individuals were affected.

216K-Record Data Breach at Community First Medical Center

Community First Medical Center based in Chicago, IL began informing 216,047 patients concerning a cyberattack that enabled an unauthorized third party to acquire access to its computer network on July 12, 2023. Based on the September 26, 2023 breach notice, the launched forensic investigation confirmed on July 28, 2023, the access of files with patients’ PHI by a third party.

The types of data exposed in the incident differed from one person to another and could have contained complete names, phone numbers, email addresses, medical record numbers, Medicare numbers, and Social Security numbers. Community First Medical Center stated it did not know of any actual or attempted patient data misuse; nevertheless, as a safety measure, people whose Social Security numbers were exposed were provided free credit monitoring services. Community First Medical Center mentioned it had taken action on many safety measures before the cyberattack to protect patient information and it will assess and adjust its security protocols to stop other security breaches later on.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA