Two HIPAA-regulated entities have lately begun sending notifications to individuals whose protected health information (PHI) was possibly compromised in cyberattacks that happened more than a year ago. One entity took 18 months to alert affected people that their PHI had been accessed and likely acquired.
Comprehensive Health Services Informs 94,449 Patients Regarding September 2020 Cyberattack
Comprehensive Health Services based in Cape Canaveral, FL provides workforce medical services. It is also a subsidiary of Acuity International, which recently announced its experience of a cyberattack that was discovered on September 30, 2020.
The security incident was noticed after several bogus wire transfers were made from its accounts. Third-party forensics specialists were hired to know the magnitude of the security incident, protect its digital environment, determine how the attacker obtained systems’ access, and if any sensitive data was stolen from those systems.
Comprehensive Health Services revealed in its breach notification letter to the Maine Attorney general that it confirmed on November 3, 2021, that the personal information of some persons employed by one of its customers might have been accessed and stolen in the attack. The provider sent breach notification letters to those impacted people on February 15, 2022 and offered them either 1 or 2 years of credit monitoring and identity theft protection services. It is ambiguous why the provider took 15 months to confirm the compromise of PHI, and then another three months to mail notification letters to affected persons.
Based on the breach report submitted to the Maine Attorney General, the PHI of 94,449 persons was possibly breached.
Minimally Invasive Surgery of Hawaii Alerts Patients Concerning February 2021 Cyberattack
Orthopedic Associates of Hawaii, All Access Ortho, and Specialty Suites, doing business as Minimally Invasive Surgery of Hawaii (MISH), has begun informing patients that were impacted by an event resulting in the compromise of their protected health information.
The recent incident was a ransomware attack noticed on February 19, 2021. As per the breach notifications, the threat actor encrypted information on systems that included patient information. Steps were done to immediately recover records and find out whether the unauthorized actor viewed or got files that contain patient information.
MISH mentioned the investigation affirmed on or about April 2, 2021, that the threat actor accessed its systems from February 12, 2021, to February 19, 2021, and acquired limited files. An assessment was then done to know which patients were affected and the types of data that were gotten, and then the contact data of those people needed to be validated.
Breach notification letters dated February 19, 2021, were submitted to the California attorney general, though the breach report was submitted to the HHS’ Office for Civil Rights in April 2021. Based on the breach report, 500 persons were impacted, though 500 is frequently employed as a placeholder up to the time the final total of affected people is known.
MISH stated the following types of data were breached: full names, addresses, dates of birth, medical treatment and diagnosis details, medical insurance details, and a small number of Social Security numbers. There is no evidence found that suggests the misuse of patient information. Affected persons received offers of complimentary credit monitoring and identity theft protection services.
MISH stated it analyzed its policies and procedures and has enforced more administrative and technical safeguards to enhance security.