PA Dermatology Practice Suffers Healthcare Data Breach, 33K Impacted

October 13, 2022 - Pennsylvania-based Aesthetic Dermatology Associates suffered unauthorized access to its network, resulting in a healthcare data breach that impacted 33,793 individuals.

A notice provided to the Montana Attorney General’s Office explained that Aesthetic Dermatology first discovered suspicious activity on August 15, 2022. Further investigation determined that an unauthorized party had accessed certain systems on the practice’s network, including files containing patient information.

The potentially impacted files contained patient names, dates of birth, addresses, diagnosis codes, and health insurance information.

“As soon as we detected suspicious activity, we promptly began an investigation to confirm the nature and scope of this incident. Aesthetic Dermatology is committed to protecting your information,” the notice to patients stated.

“As part of this commitment, we are reviewing our existing policies, procedures, and systems related to cyber security. Although we have no evidence of any actual or attempted misuse of the potentially impacted information resulting from this incident, we are notifying affected individuals, including you, so that you may take steps to protect your personal information, should you feel it is appropriate to do so.”

Maryland Family Medicine Practice Suffers Ransomware Attack  

Maryland-based Family Medicine Shady Grove (FMSG) fell victim to a ransomware attack in August, a website notice stated. The incident impacted 6,482 individuals but did not impact patient medical records.

On August 9, FMSG discovered that its internal on-site server was encrypted with ransomware. FMSG noted that it stores its medical records on a cloud-based EMR system, and no patient records were impacted by the breach.

However, the incident did impact patient medical billing records, which were stored on the on-site server. The impacted data included names, dates of birth, addresses, Explanations of Benefits, and monthly billing printouts.

“In response to this incident, FMSG retained a computer forensics team, and the FBI was also notified,” the notice stated.

“The company was able to decrypt and recover its data as of September 5, 2022. The company’s workstations and server were secured, and no further vulnerabilities were identified.”

FMSG said it had no evidence that any patient PHI was acquired, misused, or exfiltrated, but encouraged impacted patients to remain vigilant.

Cardiac Imaging Associates Discloses April Data Privacy Incident

Cardiac Imaging Associates (CIA), a Los Angeles-based medical imaging services provider, recently disclosed a healthcare data breach that occurred in April. At the time of publication, it is unclear how many individuals were impacted by the breach.

An unauthorized actor maintained access to an internal email account between March 30 and April 6, 2022. CIA was unable to determine whether any patient information was viewed by the unauthorized party, but conducted a review of the contents of the account.

The account contained names, Social Security numbers, dates of birth, financial account information, driver’s license numbers, medical diagnoses, payment card information, medical lab results, medication and prescription information, and treatment information.

CIA said it was reviewing its existing security policies and implementing training protocols to further mitigate risk.

“CIA sincerely regrets any inconvenience this incident may have caused. Although CIA is unaware of the misuse of any personal information impacted by this incident, individuals are encouraged to remain vigilant against incidents of identity theft by reviewing account statements, explanation of benefits, and monitoring free credit reports for suspicious activity and to detect errors,” the notice explained.

“Any suspicious activity should be reported to the appropriate insurance company, health care provider, or financial institution.”