More Health Quest Patients Added to 2018 Phishing Attack Victims
Health Quest is notifying additional patients that their data was compromised after a 2018 phishing attack; ransomware, phishing, and device theft complete this week’s breach roundup.
By - New York-based Health Quest recently began another round of breach notification letters, after discovering more patient data than initially estimated was compromised during a 2018 phishing attack.
Health Quest is now part of Nuvance Health, a seven-hospital system in the Hudson Valley of New York and western Connecticut.
In May 2019, Health Quest reported that several employees fell victim to phishing attacks a year earlier in July 2018 and provided the attackers with their user credential. As a result, the data of 28,910 patients was potentially compromised, including health information, contact details, and claims data.
The attack was detected soon after it again, but officials did not report the incident until two months after the investigation concluded in April 2019.
The notification does not detail when Health Quest launched a secondary investigation. However, officials said through that assessment, they determined additional patients may have been impacted by the incident.
For the additional patients, both former and current, the compromised data varied by individual and could include dates of birth, Social Security numbers, Medicare Health Insurance Claim Numbers, driver’s licenses, treatment, dates of service, provider names, diagnoses, health insurance plan member and group numbers, financial account information with PINs or security codes, and payment card data.
Health Quest has since implemented multi-factor authentication on its email system and other security measures and has since provided employees with additional phishing-related training.
Ransomware Attack on btyDENTAL
A recent breach notification from Anchorage, Alaska-based bty DENTAL demonstrates both successful preparation and reporting processes.
On November 17, the dental provider discovered a ransomware attack had infected several of its servers. The IT team quickly intervened to contain the attack and restore the servers, engaging with a third-party health IT consultant to determine whether patient data was impacted during the event.
The investigation could not determine if patient names or X-Ray images were viewed or accessed by the attackers. However, officials said they also did not identify any activity surrounding patient data.
About 2,000 patients are receiving notifications out of an abundance of caution, and bty DENTAL also reported the incident to the Department of Health and Human Services.
“Importantly, our practice management software and database were encrypted as required by HIPAA, and no financial information, medical record, Social Security numbers, date of birth, if provided to us, were impacted by this event,” btyDental Vice President Robert Croft, said in a statement.
“The privacy and security of our patient information is a top priority for btyDENTAL, we continually evaluate the security of our patient health information, and we strive to improve and strengthen the IT Security through training of our employees and most up-to-date security measures,” he continued.
Cardiovascular Associates of Arizona Device Theft
In another notification sent out of an abundance of caution, Cardiovascular Associates of Arizona is notifying patients of the theft of four computers. However, those devices did not contain patient data.
The provider'a office was broken into in early October and four laptops were stolen. The devices required a PIN code and password to gain access, and the EHR system requires credentials, as well, which were also not stored on the devices. It’s unclear whether other patient-related information was contained on the device.
“Without login information, no patient information can be obtained,” officials wrote in a letter to patients in The Arizona Bullet. However, officials are recommending patients monitor their accounts as a precaution.
Phishing Attack on SouthEast Eye Specialist Group
About 13,000 SouthEast Eye Special Group patients are being notified that their data was potentially compromised after a phishing attack.
Suspicious activity was detected on several employee email accounts by the SEES Group IT team. An investigation into the security incident concluded on November 1, but officials did not explain when it was first discovered.
Under HIPAA, covered entities must report data breaches within 60 days of discovery, not at the conclusion of an investigation.
An investigation and analysis of the impacted accounts was promptly launched with assistance from a third-party forensics team. Officials said they could not rule out whether the attackers viewed or obtained patient information stored in the compromised accounts.
The accounts contained patient names, Social Security numbers, and treatment information. SEES Group is contonue to bolster its email security and review policies and procedures.
