- A part of smaller specialty practices have allegedly suffered cyberattacks at the hands of the same team of hackers.*
Editor's note: An earlier version of this article incorrectly described the hacking incidents as ransomware attacks.
TheDarkOverlord (TDO) informed data breach reporting website DataBreaches.net of two cyberattacks potentially affecting Sports Medicine and Rehabilitation Therapy (SMART) Physical Therapy in Massachusetts and Auburn Eye Care Associates (AECA) in California.
On September 13, TDO accessed SMART patient information stored in Patterson PTOS software due to allegedly weak passwords. Patterson — now called Performance Health — had discontinued the PTOS software product line in March of 2017 before the hacking incident occurred, according to the news source.
The team of hackers potentially accessed 16,428 patient health records during the breach and requested SMART pay a ransom in exchange for the data. SMART declined to communicate with any individuals associated with TDO.
Potentially accessed patient information may have included patient names, home addresses, dates of birth, phone numbers, email addresses, and Social Security numbers.
TDO informed the same website of an alleged cyberattack on AECA in June. Accessed patient data may have included patient names, dates of birth, Social Security numbers, home addresses, telephone numbers, and some email addresses.
DataBreaches.net stated it has attempted to contact AECA by both email and phone but all attempts have been unsuccessful.
The news outlet stated it has filed a formal complaint and request for investigation with OCR due to concerns that AECA patients have not been informed of the alleged breach.
DataBreach.net has not revealed how many patients were potentially impacted by the AECA data breach.
Phishing attack potentially impacts thousands in Georgia
Augusta University (AU) Medical Center recently suffered a phishing attack potentially impacting patient information.
On September 15, the medical center announced hackers had gained access to two employee email accounts through phishing attacks on April 20 and April 21, 2017. The medical center launched an investigation into the incident and confirmed a third-party had gained unauthorized access to the email accounts and potentially viewed some patient data, according to The Augusta Chronicle.
Following the incident, hospital employees determined the extent of the damage and issued advisory letters to any potentially affected patients with information on how to monitor their personal information in the future.
Potentially accessed information may have included patient names, home addresses, dates of birth, Social Security numbers, driver’s license numbers, financial information, prescription information, diagnosis, and treatment information.
AU officials stated the attack may have affected a few thousand patients – less than one percent of the hospital’s visitors. Additionally, officials maintained that there presently exists no evidence to suggest any patient information has been accessed or misused.
The hospital is providing staff members with extensive training on ways to avoid similar security incidents in the future. Additionally, AU has set up a dedicated call center to answer any questions concerned patients may have regarding the status of their information.
Government employees intend to appeal OPM data breach lawsuit decision
Employees of the federal government recently announced intentions to appeal a court decision stating they cannot sue for damages for the 2015 Office of Personnel Management (OPM) data breach.
US District Judge Amy Berman Jackson ruled earlier this month that employees could not prove any financial or health data stolen from approximately 22 million personal files had been misused by hackers in any way.
“OPM failed to keep our most private and sensitive information from getting into the hands of Chinese hackers,” said AFGE President J. David Cox, Sr. in a public statement. “We are deeply disappointed by the judge’s ruling in favor of OPM.”
This decision came in response to a class-action lawsuit requesting the government improve efforts to protect data and assist those affected by the breach.
Cox stated the ruling took too narrow of a view of the rights of data breach victims.
In August, a Government Accountability (GAO) report found OPM has made improvements to its data security, but stated OPM should still strengthen data breach controls in several areas.