NY Billing Company Suffers Ransomware Attack, 942K Impacted

August 17, 2022 - New York-based medical billing and practice management company Practice Resources, LLC (PRL) began notifying 942,138 individuals of a ransomware attack that impacted 26 of its healthcare organization clients.

According to a notice posted on the California Attorney General’s Office website, PRL suffered a ransomware attack on April 12, 2022. PRL immediately took steps to secure its systems and gained assistance from third-party experts.

The information involved in the attack potentially included names, addresses, health plan numbers, dates of treatment, and medical record numbers.

“We treat all sensitive information in a confidential manner and are proactive in the careful handling of such information,” the notice stated.

“Since the Incident, we have implemented a series of cybersecurity enhancements and will soon roll out others.”

The following healthcare organizations were impacted by the ransomware attack at PRL:

• Achieve Physical Therapy, PC
• CNY Obstetrics and Gynecology, P.C.
• Community Memorial Hospital, Inc
• Crouse Health Hospital, Inc
• Crouse Medical Practice PLLC
• Family Care Medical Group, PC
• Fitness Forum Physical Therapy, PC
• FLH Medical PC
• Greece Dermatological Associates, PC
• Guidone Physical Therapy, PC
• Hamilton Orthopedic Surgery & Sports Medicine
• Helendale Dermatological and Medical Spa, PLLC
• Kudos Medical, PLLC
• Laboratory Alliance of Central New York, LLC
• Liverpool Physical Therapy, PC 
• Michael J Paciorek, MD PC
• Nephrology Associates of Watertown, PC
• Nephrology Hypertension Associates of CNY, PC
• Orthopedics East, PC
• Salvation Army
• Soldiers & Sailors Memorial Hospital—Physician Practices
• St. Joseph’s Medical
• Surgical Care West, PLLC
• Syracuse Endoscopy Associates, LLC
• Syracuse Gastroenterological Associates, PC
• Syracuse Pediatrics
• Tully Physical Therapy
• Upstate Community Medical, PC

PRL provided credit monitoring services to impacted individuals.

United Health Centers of the San Jaoquin Valley Notifies Patients of 2021 Ransomware Attack

United Health Centers of the San Jaoquin Valley (UHC) began notifying individuals of a 2021 ransomware attack one year after it occurred. In a letter posted on the California Attorney General’s Office website, UHC explained that it began experiencing technical difficulties on August 28.

The difficulties resulted in “a disruption to certain computer systems,” the notice explained.

“UHC promptly took steps to secure our systems and commenced an investigation into the nature and scope of the incident. UHC’s investigation determined that the disruption was caused by an encryption event. UHC worked expeditiously to restore our systems to avoid an interruption to patient care.”

UHC said it discovered that certain data had been compromised on September 22. Further investigation revealed that the attack took place between August 24 and August 28. UHC said it completed its review of impacted information on April 11, 2022, and then began notifying patients.

The information involved in the incident included names, Social Security numbers, and medical record numbers.

“We sincerely regret any inconvenience this event may cause you,” the notice concluded. “We appreciate your trust in us and remain committed to safeguarding the information in our care.”

San Diego American Indian Health Center Suffers Data Breach

San Diego American Indian Health Center (SDAIHC) suffered a data breach that involved an undisclosed number of current and former individuals served by the health center, a notice on its website stated.

SDAIHC discovered that it was the victim of a “sophisticated cybersecurity attack affecting the digital network” on May 5. Further investigation determined that an unauthorized party had accessed its network and obtained data, including names, Social Security numbers, driver’s license numbers, addresses, tribal identification card numbers, health insurance information, medical information, and birth dates.

“To date, SDAIHC is not aware of any evidence of the misuse of any information potentially involved in this incident,” the notice explained.

SDAIHC began notifying impacted individuals of the breach on August 15.