- Unsecured files on a public FTP server maintained by Arkansas-based practice management software provider MedEvolve may have caused a PHI data security breach for more 200,000 patients, reported DataBreaches.net.
Most of the patient files on the server were password protected, but two clients did not password protect their records, a security researcher told DataBreaches.net.
One of the clients, Pennsylvania-based Premier Urgent Care, had a SQL database with 205,000 patient records that was not secured. Around 11,000 of those records contained Social Security numbers.
Another client, Texas-based dermatologist Dr. Beverly Held, had three unsecured .dat files with 12,000 Social Security numbers exposed.
DataBreach.net contacted MedEvolve and the two clients about the exposed data. The files were then removed from public access. However, DataBreach.net has not been able to get satisfactory answers to its questions about how long the data was exposed, who accessed the files, or whether HHS and the patients were being notified.
Allied Physicians of Michiana Suffers SamSam Ransomware Attack
Indiana-based Allied Physicians of Michiana said it became aware on May 17 of a SamSam ransomware attack on its network. It immediately shut down its network to protect personal and protected health information.
Allied Physicians of Michiana said it was able to restore its data in a secure format without “any significant disruption of services to its patients.”
The healthcare service provider did not say whether it paid the ransomware or how much the attackers were asking. It said that forensic activity was continuing to see whether personal data or PHI of patients was compromised. It said it was working with regulatory agencies and the FBI to understand the scope of the attack.
“While we make every effort to keep ahead of these types of cyberattacks, we have nevertheless taken additional steps to minimize any such future attack,” said CEO Shery Roussarie.
HHS warned earlier this year that SamSam ransomware attackers were targeting healthcare organizations. As of March, there had been eight SamSam ransomware attacks against healthcare and government organizations, according to HHS.
The attacks on healthcare organization included Indiana-based Hancock Health Hospital and Adams Memorial Hospital and cloud-based electronic health record provider Allscripts.
Cambridge Dental Admits to Data Breach Affecting 3,750 Patients
Cambridge Dental Consulting Group said that personal information on 3,750 patients was mistakenly posted on its public website, reported the Las Vegas Review-Journal.
The data posted on the website included health insurance information, Social Security numbers, and birth dates. Affected patients visited Boston Dental Group locations in Las Vegas and Diamond Lake Dental in Hemet, California.
The dental group was informed of the breach on March 13 by HHS, the report noted. The group said it was offering those affected by the beach free credit monitoring services if they request it.
UT Physicians Clinic Sent Out Email Address of 2,800 Patients
UT Physicians’ Davis Clinic in Texas notified patients that a doctor was leaving the clinic by sending out mass emails containing the email addresses of 2,800 patients, reported Chron.com.
The patient data disclosed did not include health information, physical addresses, Social Security numbers, diagnostic information, health insurance, or financial information.
UT Physicians, the physicians group of the University of Texas Health Science Center, mailed out letters on May 15 to inform affected patients about the breach.
Muir Medical Patients’ Personal Data Stolen by Ex-Employee
California-based Muir Medical Group patients who received treatment between November 2013 and February 2017 may have had their personal information stolen by an ex-employee, NBC reported May 22.
Muir Medical discovered the data breach on March 7, 2018, after a former employee took patient information with her before her employment ended, the report noted.
The information that was taken included patient names, Social Security numbers, addresses, diagnoses, tests results, medications, and other treatment data.
The company has notified affected patients and is offering free credit monitoring services. It has also employed a forensics company to investigate the data disclosure.