Mississippi Health System Suffers Ransomware Attack, 253K Individuals Impacted

January 24, 2024 - Singing River Health System in Mississippi suffered a ransomware attack in August 2023 that resulted in a data breach. The breach impacted 252,890 individuals in total, according to a notice provided to the Maine Attorney General’s Office.

Singing River identified unauthorized access between August 16 and 19, later determining that the incident was a “malicious and sophisticated ransomware attack.” The health system worked to promptly respond to the incident and assess its systems.

The health system said it doesn’t believe that any information has been misused as a result of the incident, but victims are entitled to 12 months of credit monitoring services. The breach potentially exposed names, dates of birth, Social Security numbers, addresses, medical information, and health insurance information.

Dallas Wellness Center Suffers Breach, 124K Records Impacted

Dallas, Texas-based Cooper Aerobics recently informed more than 124,000 individuals of a data security incident that occurred in early 2023. Cooper Aerobics discovered that an unauthorized actor gained access to the Cooper Aerobics network on February 3, 2023.

On December 8, 2023, Cooper Aerobics determined that the threat actor had removed some files containing health information from the network.

Specifically, the impacted files contained, names, addresses, phone numbers, Social Security numbers, credit or debit card information, tax identification numbers, passport numbers, usernames and passwords, prescription information, medical record numbers, and health insurance information.

Cooper Aerobics stated that it has no evidence that any of the compromised data has been used for identity theft or financial fraud.

“Cooper Aerobics remains fully committed to maintaining the privacy of personal and protected health information in its possession and has taken many precautions to safeguard it, including continually evaluating and modifying its practices and internal controls,” the organization stated.

Laptop Theft At Medical Helicopter Operator Office Results in Breach

Air Methods, a helicopter operator that provides emergency medical services to more than 100,00 patients per year across 48 states, recently notified 34,000 individuals of a data breach.

On November 9, Air Methods suffered a break-in in which a laptop containing patient information was stolen. The files on the laptop included patient names, dates of service, contact information, insruance information, and diagnosis information, as well as a small number of Social Security numbers.

The laptop still has not been recovered, but Air Methods was able to remotely change the password associated with the laptop’s user account. Additionally, the security settings on the laptop were configured so that Air Methods will be alerted if it connects to the internet.

“To help prevent something like this from happening again, we will continue to assess and, where appropriate, enhance office security,” the notice continued. “Additionally, it is always a good idea for individuals to review statements received related to their healthcare. If any charges are identified for services they did not receive, they should contact the issuing entity immediately.”

Medical Billing Service Breach Impacts 60K

ConsensioHealth, a physician-owned medical billing company, notified 60,871 individuals of a data breach that it discovered in July 2023. The incident resulted in the encryption of certain systems and files on ConsensioHealth’s network.

Upon discovery, the organization contained the threat, alerted law enforcement, and engaged cybersecurity specialists. The investigation determined that a threat actor had removed files and folders from the network, some of which contained protected health information.

Specifically, the impacted information included names, Social Security numbers, addresses, dates of birth, health insurance information, account access credentials, patient account numbers, diagnosis information, and prescription information.

“Consensio values your privacy and deeply regrets that this incident occurred. We are committed to maintaining the privacy of personal and health information in our possession and have taken many precautions to safeguard it,” the notice added.

“We continually evaluate and modify our practices and internal controls to enhance the security and privacy of your personal information. Since detecting the incident, we have reviewed and revised our information security practices, and implemented additional security measures to mitigate the chance of a similar event in the future.”