Healthcare Data Breaches Continue as New Year Begins

January 06, 2022 - As a new year begins, threat actors are continuing to overwhelm providers and patients with healthcare data breaches. Some experts predict that ransomware actors will favor data exfiltration over encryption this year and that they will shift their focus to APIs and other attack vectors in order to throw off victims.

Florida-based health system Broward Health recently suffered a protected health information (PHI) breach that impacted 1.3 million individuals. Meanwhile, other healthcare organizations are still recovering from a ransomware attack on HR management solutions vendor Kronos.

Many healthcare organizations are also focused on mitigating threats associated with the recently discovered Apache Log4j vulnerability, which could have catastrophic security implications for multiple sectors if exploited.

HHS urged healthcare organizations to implement the Log4j patch and ramp up incident response functions. Healthcare organizations should also remain wary of ransomware, phishing, and other prominent cyber threats that continue to impact organizations across all sectors.

ACLU Demands Answers After RIPTA Health Data Breach 

The Rhode Island Public Transit Authority (RIPTA) recently notified HHS of a PHI breach that impacted 5,015 health plan beneficiaries. The breach occurred between August 3 and August 5, 2021, when an unauthorized individual gained access to some of RIPTA’s computer systems and exfiltrated files, RIPTA’s notice stated.

READ MORE: Billing Error Causes PHI Breach at Illinois Health System

The files contained member names, addresses, birth dates, Medicare identification numbers, health plan member identification numbers, claims information, and Social Security numbers.

After sending out notification letters on December 21, the Rhode Island American Civil Liberties Union (ACLU) began receiving complaints. Some of the individuals who had received breach notification letters had no direct connection to RIPTA.

On December 28, Steve Brown, executive director of the Rhode Island ACLU, sent a letter to RIPTA demanding answers.

“Needless to say, they found this breach of their personal information quite disturbing and are concerned about its potential impact on their medical privacy and on their potential victimization from identity thieves,” the letter stated.

“But worst – and most inexplicable – of all, the people who have contacted us are even more deeply distressed by the fact that RIPTA somehow had any of their personal information – much less their personal health care information – in the first place, as they have no connection at all with your agency.”

READ MORE: PHI Breach, Data Exfiltration at Broward Health Impacts 1.3 Million

The letter also noted that it took RIPTA more than two months to identify the people who were impacted, and another two months to notify those individuals. In addition, the notification letter indicated that over 17,000 people were impacted, but HHS only lists 5,015.

The Rhode Island Attorney General’s office is now investigating RIPTA’s handling of the data breach, The Providence Journal reported.

Orthopedic Institute of Western Kentucky Breach Impacts 106K

Southern Orthopedic Associates (SOA), also known as the Orthopedic Institute of Western Kentucky, began notifying patients of a healthcare data breach that impacted 106,910 individuals.

SOA said it became aware of suspicious email activity on July 7, 2021, and immediately launched an investigation. The investigation revealed that an unauthorized individual accessed several employee email accounts between June 24 and July 8.

It is unclear why notification of the breach to HHS was delayed until December 2021.

READ MORE: Accounting Firm Faces Lawsuit Over Healthcare Data Breach

SOA was unable to confirm exactly what information was accessed, viewed, or acquired, but the email accounts included information such as names, birth dates, financial account information, driver’s license numbers, Social Security numbers, passport numbers, medical billing and claims information, and health insurance information.

“SOA has strict security measures to protect the information in its possession,” the letter stated.

“Following this incident, SOA took steps to change all employee email account passwords and to secure the impacted accounts. SOA is currently implementing additional technical safeguards as well as training and education for employees to prevent similar future incidents.”

Impacted individuals should remain vigilant against identity theft and fraud, SOA warned.

IL Fertility Center Notifies Patients of February 2021 Breach

Fertility Centers of Illinois (FCI), which has four locations across Illinois, suffered a healthcare data breach that impacted nearly 80,000 individuals, according to HHS’s data breach portal.

FCI became aware of suspicious network activity on February 1, 2021, and immediately engaged forensic investigators, the notice on FCI’s website stated. The investigation determined that an unauthorized individual gained access to a handful of FCI’s administrative files.

The impacted files contained and names, passport numbers, Social Security numbers, payment card information, prescription information, Medicare and Medicaid identification information, usernames and passwords, employer-assigned identification numbers, patient account numbers, and other protected health information.

“Safeguarding the privacy of your information and the security of our network is among our highest priorities. We have strict security measures in place to protect information in our care,” the letter stated.

“Upon learning of this incident, FCI immediately took steps to eliminate unauthorized access and brought in independent forensic investigators to investigate and remediate the matter.”

FCI said that it has since implemented further security measures to secure patient data, email accounts, and equipment. Specifically, FCI implemented identify verification software and provided employees with enhanced security training.

“Please be assured that we have invested considerable resources to ensure that such a vulnerability does not exist in the future,” FCI concluded.