Healthcare Data Breaches Continue to Impact Patients in New Year

January 22, 2024 - In 2023, more than 540 organizations reported healthcare data breaches to HHS, impacting upwards of 112 million individuals. 

As the new year begins, the aftermath of 2023 breaches continues to impact patients across the country. Nearly all of the breaches reported to HHS in 2024 so far occurred in 2023 or earlier, as exemplified by the breach notifications summarized below.

Hampton-Newport News Community Services Board Suffers Ransomware Attack

Hampton-Newport News Community Services Board (HNNCSB) in Virginia reported a 44,312-record breach to HHS in January that it discovered in November 2023. HNNCSB noticed technical disruptions to some of its computer systems on November 12.

Further investigation determined that the organization had fallen victim to a ransomware attack on September 26. The information involved in the breach may have included demographic information, Social Security numbers, clinical information, and insurance information.

“These types of cybercrimes are increasingly problematic, and unfortunately, all organizations today are susceptible, despite sound cybersecurity practices and protocols,” HNNCSB’s breach notice stated.

HNNCSB notified law enforcement of the incident and offered credit monitoring and identity restoration services to impacted individuals. The organization also said it would continue to work with law enforcement to “bring the cybercriminals to justice.”

Alabama Law Firm Experiences Healthcare Data Breach

Burr & Forman LLP, an Alabama-based law firm, suffered a data breach that impacted 19,893 individuals and potentially exposed some medical information. Burr & Forman consists of more than 350 attorneys across Alabama, Delaware, Florida, Georgia, Mississippi, North Carolina, South Carolina, and Tennessee.

In October 2023, the firm discovered unusual activity on one of the laptops in its network. Further investigation determined that an unauthorized actor had acquired certain documents and information on its systems. The incident did not impact computer systems belonging to its clients, but information held in Burr & Forman’s systems was impacted.

Specifically, Burr & Forman notified Texas-based Oceans Healthcare, a behavioral healthcare organization that focuses on geriatric behavioral health, of the breach. The information impacted in the Burr & Forman breach appeared to pertain to Oceans Healthcare patients. The information involved included names, Social Security numbers, insurance information, and medical coding information with dates and descriptions.

Burr & Forman began notifying impacted individuals in early January and included steps that impacted individuals can take to monitor their information.

Senior PsychCare Breach Impacts 75K Individuals

Texas-based Psychological Holdings, PLLC, also known as Senior PsychCare (SPC), recently notified more than 75,000 individuals of a December 2022 data breach.

Although the breach occurred in December 2022, SPC did not confirm the breach until November 2023. During the breach, an unauthorized party accessed and potentially acquired certain files containing personal information, including names, addresses, Social Security numbers, medical information, and health insurance information.

SPC stated that it had no evidence that any personal information had been misused as a result of this incident.

“SPC is committed to maintaining the privacy of personal information in its possession and has taken many precautions to safeguard it. SPC continually evaluates and modifies its practices to enhance the security and privacy of the personal information it maintains,” the notice added.

238K Individuals Impacted By Breach at TX Public Mental Health Authority

The Harris Center for Mental Health and IDD, a Texas-based public mental health authority, suffered a data breach in November 2023 that impacted the information of 238,463 individuals. The Harris Center promptly launched an investigation and determined that an unauthorized actor had accessed certain information within its network between November 6 and 7, 2023.

The impacted information included names and other demographic information, Social Security numbers, financial account information, treatment and prescription information, Medicare/Medicaid ID numbers, health insurance information, and treatment costs.

The Harris Center stated that it has since reviewed its policies and procedures and provided credit monitoring and identity protection services to the impacted individuals.