98K Patients, Employees Impacted by Oklahoma Provider Data Breach

September 02, 2021 - Oklahoma-based CareATC announced that it fell victim to a provider data breach that jeopardized the personally identifiable information (PII) and protected health information (PHI) of over 98,000 patients, employees, and dependents of patients and employees.

The provider became aware of suspicious activity on June 29, and later determined through a forensic investigation that an unauthorized third party had accessed two employee email accounts between June 18 and June 29.

After a thorough review, CareATC concluded on August 11 that names and birthdates were the only information impacted in most cases. However, Social Security numbers, driver’s license numbers, financial account information, health insurance information, passport numbers, US Alien Registration numbers, electronic signatures, usernames, passwords, and medical history may have been exposed in some instances.

CareATC is a population health management company with locations in Oklahoma, Florida, and Georgia. The organization focuses on helping employers save money by improving employee health by delivering wellness tools, telemedicine, and primary care.

The provider is unaware of any misuse of information as a result of the incident.

“CareATC is mailing notice letters to individuals for whom they have valid mailing addresses whose protected information was contained in the affected email accounts and may have been potentially accessible by an unauthorized party,” the announcement stated.

Patients and employees can call a designated number for questions relating to the data breach and encouraged impacted individuals to look out for any suspicious activity.

“CareATC takes the security of information in its care very seriously. Upon learning of this issue, CareATC immediately took steps to secure the email accounts and conducted a diligent investigation to confirm the nature and scope of the incident,” the announcement continued.

“CareATC is also conducting additional employee training related to email security and is working with third-party specialists to increase the security of its email system.”

In other news, a recent cyberattack on DuPage Medical Group in Illinois may have exposed the PHI of 600,000 patients, the state’s largest data breach of 2021 to date.

The FBI recently released a flash alert warning healthcare providers of Hive ransomware group, a hacking group responsible for a massive cyberattack on Memorial Health System in mid-August. The group uses phishing emails to gain access to private networks and Remote Desktop Protocol (RDP) to navigate the network after it has been compromised.

As hackers build confidence and target larger organizations, healthcare organizations have been forced to adapt rather than face catastrophic privacy consequences. The Cybersecurity and Infrastructure Security Agency (CISA) released a fact sheet recently outlining steps organizations can take to prevent ransomware attacks and protect PII.

CISA recommended that all organizations maintain offline, encrypted data backups and regularly test backup procedures. In addition, organizations should implement safeguards against common vulnerabilities and misconfigurations, and educate employees about cyber hygiene.

In the unfortunately likely event of a cyberattack, organizations should immediately determine which systems were impacted and isolate them. It is also crucial to have an emergency plan in place to avoid disruptions in patient care.

Most importantly, organizations should never pay a ransom to hackers. Implementing basic cybersecurity practices can effectively mitigate the impact of a cyberattack and ensure that the hackers do not have the upper hand.