Latest Reported Data Breaches Impact Variety of Healthcare Orgs

May 01, 2023 - Healthcare data breaches continue to impact large and small organizations across the country, as exemplified by the most recent batch of data breach notifications outlined below.

Graceworks Lutheran Services Breach Impacts 6,700 Individuals

Dayton, Ohio-based Graceworks Lutheran Services, a social services organization, suffered a breach that impacted 6,737 individuals. According to the breach notice, Graceworks discovered unauthorized activity within its systems on February 18, 2023.

Graceworks was unable to rule out the possibility that an unauthorized party accessed protected health information, although there was no evidence to indicate that any information had been misused. The impacted data may have included names, Social Security numbers, medical diagnosis and treatment information, health insurance information, prescription information, dates of birth, and addresses.

In response to the breach, Graceworks immediately launched an investigation and implemented additional security measures to bolster its data security posture.

CA FQHC Suffers Data Breach

Petaluma Health Center (PHC), a Federally Qualified Health Center (FQHC) in California, suffered a data breach that impacted current and former employees, board members, and volunteers.

PHC discovered suspicious activity within its network on March 14, 2023. The FQHC immediately shut off network access and engaged an incident response team. PHC found no evidence that any information was misused, but the following information was potentially acquired by an unauthorized party: names, addresses, Social Security numbers, health insurance plan information, passport numbers, dates of birth, and driver’s license numbers.

PHC said it maintained this information for payroll and human resources purposes.

“Data security is among PHC’s highest priorities,” the notice stated. “Upon detecting this incident we moved quickly to initiate a response, which included conducting an investigation with the assistance of third-party IT specialists and confirming the security of our network environment. We are also reviewing and enhancing our technical safeguards to prevent a similar incident.”

NY Home Care Service Provider Issues Breach Notice

New York-based Unlimited Care (UCI), a provider of home care services, notified an undisclosed number of indivividuals of a data security incident that potentially involved the protected health information (PHI) of some UCI patients and employees.

UCI first learned of unusual activity within its systems on February 16, 2023 and took immediate steps to secure its systems and launch an investigation, the breach notice stated.

By mid-March, UCI determined that some personal information may have been accessed by an unauthorized third party during the incident. The information varied by individual but may have included names, birth dates, Social Security numbers, medical diagnostic codes, Medicaid numbers, addresses, and some isolated trust account information.

“UCI has implemented additional measures to enhance the security of its digital environment in an effort to minimize the likelihood of a similar event from occurring in the future,” the notice stated.

NYSARC Columbia County Chapter Suffers Ransomware Attack

NYSARC Columbia County Chapter (COARC), a family-based provider of services for people experiencing developmental and intellectual disabilities, issued a breach notice recently. COARC detected unusual system activity on its systems in July 2022.

COARC immediately disconnected systems, engaged a team of cyber professionals, and contacted law enforcement. Further investigation revealed that an unauthorized actor had obtained access to a limited number of COARC systems for the purpose of encrypting data with ransomware.

The potentially impacted information included names, addresses, Social Security numbers, medical information, driver’s license information, passport numbers, credit card numbers, and student information.

“Upon becoming aware of the incident, COARC immediately implemented measures to further improve the security of their systems and practices,” the notice stated.

“COARC worked with a leading privacy and security firm to aid in their investigation and response and is reporting this incident to relevant government agencies. COARC also implemented additional security protocols designed to protect their network, email environment, and systems.”

COARC said it was unaware of any misuse of the impacted data but encouraged impacted individuals to remain vigilant.