Cyberattacks Announced by Brooklyn Premier Orthopedics, Atlas Healthcare, Humana Inc, and Morrison Community Hospital

Brooklyn Premier Orthopedics (BPO) based in New York has reported the potential access and theft of the protected health information (PHI) of 48,459 patients in a recent cyberattack. As per BPO’s breach notice dated October 5, 2023, unauthorized persons acquired access to parts of its system that stored patient data, which include names, addresses, birth dates, Social Security numbers, and healthcare treatment data.

The investigation didn’t find any proof that suggests the misuse of any information; nevertheless, the impacted patients were instructed to be cautious and keep tabs on their accounts. Free credit monitoring and identity theft protection services were provided. BPO has checked and improved its security guidelines and procedures to minimize the chance of the same incidents happening later on.

Cyberattack Impacts About 11,000 Atlas Healthcare Residents and Patients

Senior living and care provider, Atlas Healthcare, based in Connecticut has reported the exposure of some PHI of 10,831 of its assisted living residents and rehabilitation patients due to a cyberattack in January 2023. The breached data includes names, addresses, birth dates, Social Security numbers, medical insurance data, health data, driver’s license numbers, and financial data. The impacted persons had received medical care at Vernon Rehabilitation and Healthcare Center in Vernon, CT, or Manchester Rehabilitation and Healthcare Center in Manchester, CT, or Arbors of Hop Brook.

Atlas Healthcare didn’t mention details about the nature of the cyberattack, for instance, whether the incident was a data theft or extortion. As a safety measure against identity theft and fraud, impacted persons were provided free credit monitoring service membership.

Breach at Subcontractor of Business Associate Affected Humana Members

Humana Inc. recently reported a data breach that occurred at a subcontractor of its business associate PNC Bank. PNC manages the money for paying Humana’s service providers. PNC sent a notification to Humana about the incident on October 3, 2023.

On August 9, 2023, payment processing subcontractor, Echo Health, informed PNC about detecting suspicious activity on its website. The investigation revealed that an unauthorized person viewed its website employing valid payment details that were acquired from a third-party billing provider. That person accessed Explanation of Provider Payment documents that contained the PHI of 2,844 members of Humana. The breached documents included first and last names, names of providers, dates of service, and Humana ID numbers.

Humana states Echo Health has applied extra technical safety measures and controls on its website to avoid the same incidents and has implemented extra notifications and fraud tracking.

PHI Potentially Compromised Due to Email Breach in the City of Philadelphia

There is an email breach that the City of Philadelphia is investigating. On May 24, 2023, suspicious activity was discovered in its email system; nevertheless, based on a recent statement, unauthorized activity occurred for another two months after identifying the breach. The forensic investigation affirmed the unauthorized individual accessed the email accounts up to July 28, 2023.

About one month after securing the breach, city officials stated that some of the breached email accounts comprised personal data and PHI. Although the investigation is in progress and email accounts are still under manual and programmed review, those who were impacted had these data compromised: names, birth dates, addresses, other demographic and contact details, Social Security numbers, health data like diagnoses and treatment details, and some financial data, including claims details.

City officials mentioned they would send notification letters to the impacted persons upon completion of the email account review. At this time, it is uncertain how many people were affected and it was not explained why the incident took two months to secure and the breach announcement was made 5 months after the initial discovery.

Morrison Community Hospital Cyberattack

Morrison Community Hospital (MCH) located in Illinois has reported that it suffered a network breach on September 24, 2023 due to unauthorized access. A third-party cybersecurity company helped in making its network secure and investigated the scope of the unauthorized access. The breach seems to just affect its Explanation of Benefits statements.

Based on an October 19, 2023 breach notice published on its website, MCH is convinced that no information of any individual was misused because of this incident. Notification letters will be provided to the impacted persons. The incident is not yet posted on the HHS’ Office for Civil Rights breach website, therefore the number of affected individuals is uncertain. MCH stated it has evaluated and improved its technical safety measures to avoid the same incidents down the road.

MCH didn’t mention any information concerning the nature of the cyberattack; nevertheless, the ALPHV ransomware group announced that is is responsible for the attack and has included MCH on its data leak website. Some of the stolen information was published on the ransomware group’s data leak website on October 19, 2023. The group threatened the hospital to leak all the stolen information if its ransom demands were not met. The group subsequently leaked 8.6 TB of VMWare VM graphics, 1 VM with SQL, and 5 VMs with information.

Data Stolen from Beverley Hills Plastic Surgery Practice

The cosmetic surgeon, Jaime S. Schwartz, M.D., based in Beverly Hills, CA seems to have encountered a cyberattack. The Hunters International ransomware and data extortion group has included the cosmetic surgeon on its data leak website together with some pictures of four identified patients.

The ransomware group boasts of having extracted 1.1 terabytes of information or 248,245 data files and mentioned it is getting ready to send emails to patients. At this time, the plastic surgeon’s website has not mentioned any cyberattack or data breach. There is also no breach report posted on the California Attorney General’s website nor on the HHS’ Office for Civil Rights breach portal.

The Federal Bureau of Investigation (FBI) just released a security advisory saying that ransomware and data extortion groups are targeting plastic surgery offices. The first phase of attacks entails data theft, then using the stolen information as open source data, and the last phase includes threatening the victims to expose the data with attempts to extort from the cosmetic surgeons and their patients.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA