Family of Woodstock and Viverant Report Cyberattacks

Family of Woodstock (FOW), a New York provider of crisis intervention, information, prevention, and support services, has experienced a cyberattack that resulted in the potential compromise of the protected health information (PHI) of 8,214 people.

FOW detected the cyberattack on August 3, 2021, and took steps immediately to eject the attackers from its network and bring back its systems and operations. Third-party forensic investigators helped to know the nature and magnitude of the breach, with the preliminary stage of the investigation ending on September 11, 2021.

FOW stated the investigation affirmed that the hackers got access to areas of its system that held protected health information including first and last names, telephone numbers, addresses, email addresses, dates of birth, driver’s license numbers, Social Security numbers, medical record numbers, medical background, diagnosis, treatment, illness, and health insurance data. During the issuance of notifications, no evidence had been identified suggesting any attempt or actual misuse of data.

FOW has carried out more cybersecurity steps, is improving its policies and protocols, and is giving added cybersecurity training to the employees.

Physical Therapy Center Informs 6,500 Patients of PHI Breach

Physical therapy center Viverant PT, LLC based in Minneapolis, MN is notifying 6,500 current and past patients regarding a cyberattack in March 2021 that exposed their PHI.

Viverant PT discovered the breach on March 9, 2021, upon seeing suspicious emails being sent from a staff member’s email account. The IT team secured the email account immediately and took action to deal with and limit the breach. A detailed review was done of its email environment, which confirmed that only one email account was breached yet it held a wide collection of sensitive data.

There was no proof found that indicate any attempted or actual patient information misuse, however, the likelihood of data theft couldn’t be ruled out. Viverant reported that the patients had varying types of data in the account, which may have included the following data elements: name, date of birth, address, Social Security number, driver’s license number, health record number, diagnostic/treatment details, date of service, credit/debit card number with password or security code, medical insurance details, financial account number with or without password or routing number, prescription drugs, username with security questions and answers, digital signature, and vehicle identification number (VIN).

Viverant stated a prominent security company was hired to help the investigation and handle the attack. To enhance the security of its systems and protocols, extra measures were enforced such as

  • changing passwords
  • employing tougher authentication
  • performing additional training of the employees
  • retaining national privacy and security professionals to help with ongoing security

Viverant provided complimentary credit monitoring services to affected persons.

About Christine Garcia 1295 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA