MultiCare Notifies 23K of Third-Party Breach

December 23, 2022 - MultiCare Health System in Washington suffered a third-party data breach that originated at its mailing service provider, Kaye-Smith. As previously reported, the breach at Kaye-Smith impacted other healthcare organizations, including 31,573 individuals at St. Luke’s Health System in Idaho. The breach impacted more than 23,000 individuals at MultiCare.

In June 2022, Kaye-Smith hired experts to investigate suspicious activity within its digital environment. Kaye-Smith later determined that a ransomware actor had been discretely compromising files since May 2022. Names, addresses, and Social Security numbers were impacted.

“Through our investigation we confirmed the scope of this incident, the security of our environment and that our systems are not otherwise currently at risk,” Kaye-Smith explained to impacted MultiCare patients.

“In order to prevent any further unauthorized access, we have enhanced our security measures and monitoring.”

Hawaiian Eye Center Suffers Cyberattack

Hawaiian Eye Center (HEC) notified patients of a cyberattack that occurred in early November. On November 2, HEC discovered that one of its servers was unresponsive and quickly shut down and secured the network.

HEC said it engaged a cybersecurity team to conduct a thorough forensic investigation. The files that were potentially accessed by an unauthorized party potentially included names, email addresses, dates of birth, Social Security numbers, addresses, medical records, driver’s license numbers, and health insurance providers and numbers.

Following the investigation, HEC began notifying patients of the breach on December 16.

“HEC sincerely apologizes for any inconvenience this incident may cause to members of its community and remains dedicated to maintaining the security and protection of all patient information in its control,” the notice concluded.

The Elizabeth Hospice Suffers Insider Breach

The Elizabeth Hospice (TEH), a nonprofit hospice that provides support for children and adults, suffered a data breach in October. TEH discovered that one of its now former employees had forwarded emails from her business account to her personal email account.

On November 14, TEH determined that names, dates of admission, patient account numbers, dates of discharge, and basic health information were involved in the incident. Social Security numbers and financial account information were not involved.

“Upon detecting this incident, we moved quickly to initiate a response, which included conducting an investigation to determine the extent of PHI transferred and identify potentially impacted individuals,” the hospice noted.

MA Pediatric Practice Experiences Breach

Massachusetts-based Pediatrics West notified more than 1,300 individuals of a healthcare data breach that it discovered in October. Following the practice’s discovery of suspicious activity on its systems, Pediatrics West launched an investigation and determined that an unauthorized party had accessed some of its systems between August 19, 2021, and August 15, 2022.

“Our review and analysis of those files determined they may have contained some information for some of our patients, including names, contact information, demographic information, dates of birth, diagnosis and treatment information, prescription information, medical record number, provider names, dates of service, and/or health insurance information,” the notice stated.

“Social Security numbers were NOT involved in the incident. In addition, our electronic medical records system was NOT involved in the incident.”

Pediatrics West has since implemented additional safeguards to protect patient information.