Patient Data Exposed in Data Breaches at Salud Family Health, New York-Presbyterian Hospital and Forest Hill Pediatrics

Salud Family Health Gives Latest News on September 2022 Ransomware Attack

Salud Family Health based in Colorado, a Federal Qualified Health Center (FQHC), just gave the latest information on a cyberattack that happened in September 2022. It has confirmed the potential theft of patient information. Salud Family Health stated that it discovered the security breach on September 5, 2022, and it affirmed the access to patient and employee information during the attack.

In the recent report, Salud Family Health didn’t confirm the magnitude of patient data theft, but it mentioned that the impacted data may have patient names, driver’s license numbers, Social Security numbers, Colorado ID card numbers, passport numbers, financial account data/credit card numbers, medical treatment and diagnosis data, medical insurance details, biometric information, and usernames and passwords.

The health center reported the breach to the HHS’ Office for Civil Rights with a 501 placeholder, which is not yet updated on the OCR breach website; nevertheless, the threat actor responsible for the attack, the Lorenz ransomware group, has leaked a portion of the files on the internet. The attacker confessed to having stolen information that contains roughly 400,000 Social Security numbers, but that is not yet verified.

Salud Family Health stated that it offered complimentary credit monitoring and identity fraud protection services to the employees and patients affected by the attack. It is also reviewing and updating its security guidelines and procedures are being reviewed to prevent future cyberattacks.

12,000 Patients Affected by New York-Presbyterian Hospital Breach

New York- Presbyterian Hospital recently reported that unauthorized persons acquired access to a server and tried to download sensitive information. The security system identified the attack on September 8, 2022, and was able to block the attempted patient data theft.

Based on the forensic investigation, the attacker utilized a wèb-based, remote information technology customer support software to get access to the laptops of a number of employees, and some desktop files were downloaded from those laptops. The attacker did not get access to the patient portal, but one laptop held approximately 12,000 protected health information (PHI) of patients at NewYork-Presbyterian/Hudson Valley and NewYork-Presbyterian/Queens.

The PHI possibly viewed and stolen were first and last names, addresses, medical records numbers, examination results, and insurance authorizations. New York-Presbyterian Hospital stated accounts utilized for the technical support program were quickly suspended and the service was stopped without another incident. The hospital offered free credit monitoring and identity theft protection services to all impacted patients.

Forest Hill Pediatrics Announces EHR Vendor Data Breach

Forest Hill Pediatrics based in Bel Air North, MD recently affirmed that the PHI of around 4,958 patients was possibly exposed in a cyberattack on Connexin Software, Inc, one of its vendors. The vendor provides pediatric physician practice groups with practice management, EHRs, and business analytics software programs. Connexin detected the breach on August 26, 2022, and forensic specialists investigated the nature and extent of the data breach.

Connexin confirmed on September 13, 2022 that an unauthorized third party got access to an offline set of patient information that is employed for data conversion and troubleshooting. The third-party removed part of that information from its systems. The electronic record system was not impacted. The offline information contained names of patients, guarantors and parents, addresses, email addresses, dates of birth, Social Security numbers, medical insurance data, dates of service, locations, services requested/procedures done, diagnoses, prescription details, doctors’ names, medical record numbers, and claims data.

Connexin has upgraded its security settings and improved system monitoring because of the breach. Connexin has additionally provided free child identity monitoring services for one year to those whose Social Security numbers were exposed.

About Christine Garcia 1288 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA