NewYork-Presbyterian Hospital Notifies 12K of Healthcare Data Breach

November 18, 2022 - NewYork-Presbyterian (NYP) Hospital notified approximately 12,000 patients of a breach that occurred in September 2022. The hospital received an alert of suspicious server activity on September 8, its notice to patients explained.

NYP was able to block an unauthorized user’s attempts to download information. However, further investigation revealed that  the third-party had “used a cloud-based, remote information technology customer support program to gain access to the laptops of several of its workforce members, copying and removing desktop files from some of the devices,” NYP explained.

One of the compromised laptops contained protected health information (PHI) belonging to certain NewYork-Presbyterian/Queens and NewYork-Presbyterian/ Hudson Valley patients.

The information involved in the incident included names, insurance authorizations, addresses, medical records, and exam results.

“NYP is committed to protecting the privacy and security of its patients’ health information and has taken steps to prevent a similar incident from happening in the future,” the notice continued.

“Accounts used for the technical assistance program were immediately suspended and the service was terminated without further incident. NYP confirmed there was no unauthorized access to NYP’s electronic medical records patient portal and none of its other data has been compromised.”

Gateway Ambulatory Surgery Center Suffers Phishing Attack

North Carolina-based Gateway Ambulatory Surgery Center notified 18,479 individuals of a phishing attack that may have resulted in unauthorized access to two Gateway employee email accounts between February 14 and May 10.

Although Gateway first discovered the incident on April 6, it began notifying impacted individuals on October 31.  

“Gateway cannot rule out the possibility that emails and attachments in the Gateway employee email accounts may have been accessed as a result of this incident,” the notice stated.

The email accounts contained patient names, health insurance information, medical history, health benefit enrollment information, patient account numbers, and dates of service. For some individuals, Social Security numbers and driver’s license numbers were also impacted.

Gateway said it has since deployed an endpoint detection and response system throughout its network and is providing additional employee training.

CorrectCare Integrated Health Data Breach Tally Grows

CorrectCare Integrated Health, a third-party health administrator, suffered a healthcare data breach on July 6, 2022 that stemmed from a misconfigured web server.

CorrectCare discovered the breach in July and learned that patient information contained in two file directories was exposed as early as January 22, 2022. CorrectCare was able to remediate the exposure in less than nine hours upon discovery.

As previously reported, the breach impacted 85,466 individuals at the Louisiana Department of Public Safety and Corrections. According to CorrectCare’s website, the breach also impacted more than 438,000 individuals at the California Department of Corrections and Rehabilitation (CDCR).

Additionally, current and former inmates at the Alaska Department of Corrections and the Georgia Department of Corrections were impacted by the breach, bringing the total breach tally to more than 500,000.

In addition, MEDIKO, a correctional healthcare company based in Virginia, reported that 2,809 individuals associated with its organization were impacted by the CorrectCare breach.  

The impacted file directories contained names, birth dates, diagnosis codes, provider names, and limited health information.