CO Hospital Suffers Email Data Breach, 52K Impacted

March 09, 2022 - Colorado hospital Montrose Regional Health fell victim to an email data breach that went undetected from August to October 2021 and impacted 52,632 individuals. In a notice on its website, Montrose said that an unauthorized party accessed certain employee email accounts containing patient information.

On February 25, Montrose determined that the email accounts contained names, internal patient account numbers, service dates, procedure codes, provider names, health insurance provider information, and treatment costs.

The hospital’s investigation was unable to determine what specific information was accessed by the hacker. Montrose Regional Health said it reset all account passwords and reviewed security policies and procedures.

“Although we have no evidence of misuse of information, we encourage potentially impacted individuals to remain vigilant by reviewing account statements and explanation of benefits forms for suspicious activity and to detect errors,” the statement explained.

Bako Diagnostics Hacking Incident Impacts 25K

On December 28, 2021, Bako Diagnostics (BakoDx) discovered suspicious network activity and later determined that an unauthorized party had accessed and exfiltrated the personal information of 25,745 individuals.

BakoDx, which provides lab services to healthcare providers focused on skin, tissue, and bone, determined that the third party was able to access certain systems between December 21 and December 28.

Specifically, the threat actor accessed and/or removed contact information, health insurance information, billing and claims information, and medical information, including specimen information and medical record numbers.

“BakoDx takes the security of personal information very seriously. As soon as it discovered the incident, it promptly launched a forensic investigation, contacted law enforcement, and took steps to remediate the incident and prevent further activity,” BakoDx said in a notice on its website.

“In response to this incident, BakoDx has enhanced its security and monitoring capabilities as well as hardened its systems as appropriate to minimize the risk of any similar incident in the future.”

BakoDx offered impacted individuals free credit monitoring services to individuals whose Social Security numbers, financial account information, driver’s license numbers, or state identification numbers were exposed.

Compromised Email Account Used to Send Phishing Emails at Michigan Medicine

Michigan Medicine began notifying 2,920 patients of an email data breach that potentially exposed some protected health information (PHI). On December 23, 2021, a hacker accessed a Michigan Medicine employee’s email account and used the account to send phishing emails.

On January 6, the employee discovered that their account had been compromised and reported the incident to Michigan Medicine’s IT department, which promptly disabled the account.

“No evidence was uncovered during our investigation to suggest that the aim of the attack was to obtain patient health information, but data theft could not be ruled out,” Michigan Medicine said.

“As a result, all of the emails involved were presumed compromised. The contents were reviewed to determine if sensitive data about any patients was potentially impacted.”

Some emails contained patient names, addresses, birth dates, diagnostic information, health insurance information, and medical record numbers. The notice emphasized that the emails were all job-related. Michigan Medicine said it would work on improving its cyber education materials.

“Patient privacy is extremely important to us, and we take this matter very seriously,” Jeanne Strickland, Michigan Medicine chief compliance officer, said in the notice.

“Michigan Medicine took steps immediately to investigate this matter and is implementing additional safeguards to reduce risk to our patients and help prevent recurrence.”