Aesto Health, Aon PLC, Alameda Health System Suffer Healthcare Data Breaches

June 10, 2022 - Three organizations suffered healthcare data breaches and reported them to HHS recently. All three incidents described below involved unauthorized access to certain systems or email accounts.

In addition to these breaches, Massachusetts-based Shields Health Care Group reported a breach that affected 2 million people, making it the largest healthcare data breach of 2022 to date, according to the Office for Civil Rights (OCR) data breach portal. Additionally, eight more organizations were added to the Eye Care Leaders EMR breach tally.  

Aesto Health Suffers Data Security Incident, 17K Impacted

Aesto Health, a company that “provides a suite of solutions that enable healthcare enterprises, medical providers, and the people that support them to exchange, organize, and protect patient information,” said it suffered a data security incident that impacted its internal IT systems.

Aesto Health is a business associate of Osceola Medical Center (OMC). Aesto Health began mailing letters to 17,400 OMC patients on May 20 who may have been involved in the incident. Aesto Health first discovered the incident on March 8 when it noticed disruptions in IT operations, and the company found that patient information was involved on March 22.

Further investigation revealed that an unauthorized actor had accessed Aesto Health’s systems between December 25 and March 8. The unauthorized actor also copied some files from a backup storage device, including OMC radiology reports.

The record contained names, dates of birth, radiology report findings, and physician names.

“Importantly, this incident did not occur at OMC. The data systems and medical records maintained at OMC were not affected by this incident and remain secure,” Aesto Health stated.

“We take this incident very seriously and sincerely regret any concern this may cause. Based on the nature of the information involved in the incident, OMC patients do not need to take further action in response to the incident.”

Aon PLC Was “Target of a cyber event” Between December 2020 and February 2022

Aon PLC reported a hacking incident to OCR that impacted 28,714 individuals. A sample notice posted on the Maine Attorney General’s Office website showed that Aon was the target of a cyber event that “impacted a limited number of Aon systems.”

Aon is a professional services firm that sells health insurance plans, risk mitigation products, and other services.

According to the notice, Aon discovered the cyber incident on February 25, 2022. Investigators discovered that an unauthorized party had accessed Aon’s systems at various points between December 29, 2020, and February 26, 2022.

The unauthorized party “temporarily obtained” documents containing names, driver’s license numbers, Social Security numbers, and some benefit enrollment information. Aon said it took steps to confirm that the unauthorized party no longer had access to the data.

“Aon immediately reported the incident to, and is working closely with, law enforcement authorities, including the FBI,” Aon told the impacted individuals.

“Additionally, to prevent a similar occurrence in the future, we implemented numerous measures designed to enhance the security of our network, systems, and data. Aon will continue to evaluate additional steps that may be taken to further enhance the firm’s security environment.”

Alameda Health System Reports 2020 Data Breach Impacting 90K

California-based integrated public healthcare system Alameda Health System (AHS) began notifying 90,000 individuals of a data breach that occurred in 2020, according to the California Attorney General’s Office.

On June 17, 2020, AHS discovered that an unauthorized actor was able to remotely access an employee’s email account on April 8, 2020. Although AHS said it had no reason to believe that any information was misused, the email account contained names, limited medical information, driver’s license numbers, Social Security numbers, and health insurance information.

We take our responsibility to safeguard our patients’ personal information seriously and apologize for any inconvenience or concern this incident might cause,” the notice sent to patients stated.

“We will continue to remain on our guard against these types of attacks to protect the safety of our patients and the security of their information.”

It is important to note that under the HIPAA Breach Notification Rule, covered entities must report healthcare data breaches impacting more than 500 people to HHS within 60 days of discovery.