Gateway Rehabilitation Center (Gateway Rehab) based in Pennsylvania recently reported that it encountered an incident causing access problems to selected systems. Gateway Rehab detected the incident on June 13, 2022 and took quick action to stop unauthorized systems access. A digital forensics agency investigated the incident. On July 8, 2022, the forensic investigation confirmed that the people responsible for the attack might have viewed or acquired patients’ data. Gateway Rehab reported the breach to the HHS’ Office for Civil Rights indicating that the protected health information (PHI) of around 130,000 patients was affected.
The following types of data were exposed in the attack: names, dates of birth, financial account and/or payment card numbers, Social Security numbers, state ID numbers, driver’s license numbers, health history, and medical insurance data. Gateway Rehab didn’t reveal the precise nature of the attack, but it appears to be a BlackByte ransomware attack. Databreaches.net confirmed that some information stolen in the attack was uploaded to the attacker’s data leak website.
As per Gateway Rehab, the analysis of all impacted files was finished on September 21, 2022. Patients received their notifications on November 18, 2022. There was no mention in the substitute breach notice posted on the Gateway Rehab website about providing credit monitoring and identity theft protection services to the affected patients. But Gateway Rehab stated the steps it has undertaken to avoid the same incidents later on.
Ex-Employee of Kaiser Permanente Impermissibly Accessed Patient Records
Kaiser Foundation Health Plan of the Mid-Atlantic States, Inc. lately reported that it discovered an employee that impermissibly accessed the PHI of several Kaiser Permanente patients. The health plan detected the unauthorized access on September 21, 2022, and the investigation confirmed that the employee accessed portions of the health records of 8,556 patients beyond the scope of his work duties.
The following types of data were accessed: demographic data, for instance, names, dates of birth, addresses, email addresses, telephone numbers, medical record numbers, and a number of health data, such as medical pictures. The employee did not view the Social Security numbers and financial data.
Based on the substitute breach notice, the employee is not working at Kaiser Permanente now and there is no evidence found that indicates the copying, misuse or further disclosure of any of the accessed data. Kaiser Permanente states it is going over its guidelines and procedures regarding access to patients’ health data.
Yakima Neighborhood Health Services Reports Impermissible PHI Disclosure
Yakima Neighborhood Health Services (YNHS) located in Washington lately announced a security incident that led to an impermissible disclosure of the PHI of 2,689 persons. On October 4, 2022, a file that contains patient data was erroneously sent to a person who wasn’t permitted to receive the data. The file included data like names, dates of birth, medical record numbers, and treatment areas.
YNHS stated that upon discovery of the incident, it took steps to make sure the deletion of the distributed file. There was no evidence found concerning the misuse of any of the data in the file. It took YNHS until November 10, 2022 to validate the updated contact details for impacted persons. The privacy breach notifications had been sent to the impacted persons. It also took steps to avoid occurrences like this from happening later on.