Data Breaches at Grand River Medical Group, Granite Wellness Centers, and Texas Spine Consultants

Grand River Medical Group based in Dubuque, OH found out that an unauthorized person acquired access to an employee’s email account and might have seen or gathered the protected health information (PHI) of 34,000 patients.

After the breach discovery, the healthcare provider performed a password reset to stop any more unauthorized access and conducted an internal investigation to find out if other systems were compromised. The Grand River Medical Group IT staff affirmed that the breach affected just one email account and the unauthorized person did not access any other system.

Third-party breach response specialists conducted a forensic investigation to find out if any patient data contained in the email account was accessed or downloaded. Though there was no evidence found that indicates patient data theft, such a possibility cannot be ruled out.

The data in the email account differed from one patient to another and included at least one of these data elements along with patient names: address, birth date, patient’s balance and type of balance, visit type, amount of claim and status code, prescription drugs, and name of the guarantor. The Social Security numbers of some patients were likewise compromised.

Grand River Medical Group sent notifications to affected individuals from February 8 to February 11, 2021 and offered them a free one-year membership to credit monitoring and identity theft recovery services via MyIDCare, plus a $1,000,000 identity theft insurance policy coverage.

PHI of 15,600 Patients Possibly Exposed in Ransomware Attack at Granite Wellness Centers

Granite Wellness Centers based in Northern California experienced a ransomware attack on January 5, 2021 resulting in patient information encryption. The center detected the attack while it was ongoing and took the systems offline to avoid data exfiltration.

There was a ransom demand issued, but Granite Wellness Centers did not pay any ransom. All encrypted files were restored using backups. An audit of the systems affected revealed they held patient information like names, birth dates, dates of service, treatment and health data, treatment provider, and medical insurance company name.

Granite Wellness Centers didn’t receive any report that indicates the misuse of patient data; nevertheless, impacted persons were advised to keep track of their accounts and explanation of benefits statements for unexplained activity. Extra safeguards are being implemented to avoid further cyberattacks and to protect data stored on its systems.

The PHI of up to 15,600 people was likely exposed in the attack.

25,728 Texas Spine Consultants Patients Impacted by Security Breach

Texas Spine Consultants located in Addison, TX learned about a security incident that led to the inadvertent disclosure of the PHI of 25,728 patients. The security incident happened on December 2, 2020 and is still under investigation, however, it does not seem like the disclosure was connected to hackers or criminal activity.

The information unintentionally disclosed only included patients’ names, dates of birth, and photo scans. Texas Spine Consultants has alerted affected people by mail and has given data to help them safeguard themselves against the falsified activity. More privacy and security steps were put in place to avert more data breaches later on.

About Christine Garcia 1289 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at