Illinois Gastroenterology Group Data Breach Impacts 228K

May 09, 2022 - Illinois Gastroenterology Group (IGG) suffered a data security incident that potentially impacted 227,943 individuals. IGG discovered unusual network activity on October 22, 2021. On November 18, IGG determined that an unauthorized actor had gained access to its systems and that “information contained in those systems may have been viewed or taken.”

The systems contained names, birth dates, Social Security numbers, driver’s license numbers, passport information, financial account information, addresses, payment card information, biometric data, employer-assigned identification numbers, and medical information.

IGG said it had no evidence of related identity theft or fraud.

“In response to this incident, IGG augmented its policies and procedures addressing network security,” the notice stated.

“IGG accelerated the implementation of an enhanced managed Security Operations Center including the deployment of an endpoint detection and response platform in response to this event with policies enabled specially for ransomware. IGG immediately reset passwords and employees with privileged access to sensitive systems were enrolled into our multifactor authentication platform.”

EvergreenHealth Faces Third-Party EMR Breach

King County Public Hospital District No. 2 (also known as EvergreenHealth) began notifying patients of a data breach involving Eye Care Leaders, a third-party company that runs the myCare Integrity electronic medical record (EMR) platform. EvergreenHealth Eye Care Clinic uses the EMR platform to maintain records.

The Washington-based health system, which operates in the Seattle metropolitan area, said that an unauthorized party accessed myCare Integrity data around December 4, 2021 and subsequently deleted databases and system configuration files. According to the Office for Civil Rights (OCR) data breach portal, the incident potentially impacted 20,533 individuals.

The incident did not involve unauthorized access to EvergreenHealth Systems. As of March 28, 2022, Eye Care Leaders was still investigating the incident.

“Although Eye Care Leaders has not confirmed that any EvergreenHealth patient information was accessed as a result of the incident, they have informed EvergreenHealth that they cannot rule out that possibility,” the notice stated.

“This information may have included patient names, dates of birth, medical record numbers, and information regarding care received at EvergreenHealth Eye Care Clinic.”

EvergreenHealth began mailing notification letters to potentially impacted patients on April 22, 2022. Any non-Eye Care Clinic patients would not have been involved in the incident.

EvergreenHealth regrets any concern or inconvenience the Eye Care Leaders data security incident may cause,” the notice concluded.

“EvergreenHealth is examining its vendor relationship with Eye Care Leaders and evaluating their security safeguards.”

SAC Health Suffers Break-In at Record Storage Facility

Social Action Community Health System (SAC Health) in San Bernardino, California, issued notification of a break-in at an off-site storage facility that potentially impacted an undisclosed number of patients.

On March 4, SAC Health learned that an unauthorized individual had stolen six boxes of paper documents containing patient records. SAC Health later determined that the files related to patients served by SAC Health in 1997 and between 2006 and 2020.

The files potentially contained names, dates of birth, addresses, and diagnosis codes.

“Upon learning of this incident, SAC Health moved quickly to investigate and respond. SAC Health is assessing all policies and procedures related to the storage of paper data,” the notice stated.

SAC Health currently has no evidence that the data was misused.  

Optima Dermatology Email Security Incident Impacts 60K

New Hampshire-based Optima Dermatology and its brands, namely The Dermatology Center of Indiana and Advanced Dermatology & Skin Cancer Center, began notifying 59,872 individuals of an email security incident that potentially exposed protected health information.

On February 17, 2022, Optima Dermatology discovered that an unauthorized actor had gained access to an employee email account between August 30 and September 2, 2021.

The email account contained names, birth dates, health insurance claims information, subscriber numbers, medical record numbers, and medical treatment and conditions information.

“Optima Dermatology has no evidence that any of the information was or will be misused,” the notice stated.

“However, out of an abundance of caution, Optima Dermatology notified individuals whose information was included in the files present in the impacted employee email account.”

Optima Dermatology said it implemented additional security measures to prevent similar events from occurring in the future.