NJ Dialysis Center, Neurosurgery Practice Both Face Cyberattacks

March 22, 2022 - Two New Jersey-based healthcare organizations fell victim to separate cyberattacks that potentially resulted in protected health information (PHI) exposure.

In 2021, Critical Insight observed a significant uptick in cyberattacks against outpatient facilities and specialty clinics. Threat actors are continuing to shy away from high-profile health system attacks in favor of small facilities and business associates.

NJ Dialysis Center Email Breach Impacts 14K

Dialyze Direct in Neptune City, New Jersey suffered an email data breach that impacted 14,203 individuals. On February 14, 2022, the dialysis center confirmed that an unauthorized actor accessed one employee’s email account between January 21, 2021, and March 4, 2021. Dialyze Direct began notifying patients of the breach on March 10, a year after it occurred.

The compromised email account involved names, Social Security numbers, birth dates, financial account information, diagnostic and treatment information, health insurance plan information, financial identification numbers, government identification numbers, and payment card information.

Dialyze Direct said it had no evidence of data misuse as a result of the incident. However, impacted individuals should follow proper cyber hygiene practices and monitor accounts.

“The security and privacy of personal information is of the utmost importance,” the practice’s notice stated.

“Since the incident, we have worked with our Information Technology (“IT”) managed services provider to implement additional security measures in an effort to prevent a similar event from occurring in the future.”

NJ Neurosurgery Practice Cyberattack Affects 92K

New Jersey Brain and Spine (NJBS) began notifying patients of a November 2021 cyberattack that impacted 92,453 individuals via online notice. The neurosurgery practice discovered that some of its data had been encrypted due to a cyberattack on its network that began on November 16, 2021.

NJBS said it hired a third-party vendor to determine what data may have been compromised. The data mining process is still ongoing, and NJBS said it will notify individuals by mail once they have all been identified.

The potentially exposed information included names, email addresses, birth dates, addresses, Social Security numbers, driver’s license numbers, telephone numbers, financial account information, and medical information.

“NJBS takes the security of all personal information and protected health information in its possession very seriously and is taking additional measures to protect this information,” the notice stated.

“Since the incident, NJBS has migrated to a third-party hosted cloud-based platform to securely store patient data, implemented two-factor authentication, installed a new server, and implemented ongoing monitoring response which tracks user activity, services and ports and coordinates logging.”

NJBS encouraged impacted individuals to remain vigilant against identity theft but said it had no reason to believe that any information was misused.