The protected health information (PHI) of 1,271,642 people was exposed and possibly stolen in two healthcare hacking incidents that were recently reported to the Department of Health and Human Services’ Office for Civil Rights.
PHI of 688,000 People Exposed During the Sea Mar Community Health Centers Hacking Incident
Sea Mar Community Health Centers is a not-for-profit provider of health, housing, human, educational, and cultural services to underserved areas in Washington state.
On June 24, 2021, Sea Mar discovered that an unauthorized individual exfiltrated sensitive data from its IT systems. With the help of a top-rated third-party cybersecurity company, Sea Mar determined the access of its systems between December 2020 and March 2021. Based on the breach notice published on its site, an analysis was carried out on the information likely stolen from its network, which affirmed the theft of the following data types:
Name, address, date of birth, Social Security number, client identification number, diagnostic and treatment details, insurance data, claims data, and/or photos involving dental service.
Sea Mar stated the process of gathering the contact details needed to issue notification letters to affected persons was concluded on August 30, 2021. After two months of acquiring the contact data, the provider sent the notification letters to the impacted people. The notification submitted to the Maine Attorney General shows that breach notification letters were delivered from October 29, 2021, to November 5, 2021.
Sea Mar stated has no knowledge about any evidence of the misuse of data taken at the time of the incident, yet has provided credit monitoring, identity theft protection, as well as fraud consultation services to persons whose Social Security number was affected.
The breach notification letters did not mention the stolen information being made available for sale on Marketo, which is a darknet webpage where stolen data are made available for purchase. Marketo is not a marketplace that i ransomware-affiliated, though information stolen in ransomware attacks were previously listed for sale on the website, which includes the data stolen during the Navistar ransomware attack.
The write-up on Marketo reports that the attackers exfiltrated 3TB of information, such as emails, pictures, contact details, and photographs of agreements. The date of notification given by Sea Mar is the same as the date when DataBreaches.net informed Sea Mar of the posting on Marketo.
583,643-Record Data Breach at Utah Imaging Associates
Utah Imaging Associates reported a data breach on November 3, 2021, to the HHS’ Office for Civil Rights that affected the protected health information of 583,643 persons. The breach was mentioned as a hacking/IT incident impacting the PHI kept on a network server.
At this time there is no mention of the data breach on the Utah Imaging Associates’ web page, the breach has not been covered by the press at this time, and the incident hasn’t appeared on the sites of state attorneys general that publish breach summaries, thus the nature of the Utah Imaging Associates data breach is not clear at this point.
Updates will be given when further information becomes available.