Refuah Health Center Suffers Cybersecurity Incident, 260K Impacted

May 12, 2022 - New York-based Refuah Health Center began notifying 260,740 individuals of a cybersecurity incident that occurred between May 31 and June 1, 2021.

Refuah Health Center discovered unauthorized access and said it immediately launched an investigation. The health center said its investigation concluded on March 2, 2022, but did not explain the year-long gap between discovery and notification.

The impacted information potentially included names, Social Security numbers, medical record numbers, driver’s license numbers, state identification numbers, birth dates, credit and debit card information, financial account information, Medicare/Medicaid numbers, patient account numbers, diagnosis information, and health insurance policy numbers.

“Please accept our apologies that this incident occurred. We are committed to maintaining the privacy of personal and protected health information in our possession and have taken many precautions to safeguard it,” the April 29 notice stated.

“We continually evaluate and modify our practices and internal controls to enhance the security and privacy of personal and protected health information. Since this incident, we have installed a new firewall and conducted a vulnerability assessment.”

Omnicell Suffers Ransomware Attack

Omnicell, a company that manufactures automated systems for medication management, recently suffered a ransomware attack, according to a US Securities and Exchange Commission (SEC) document.

The SEC document said that Omnicell discovered ransomware within its internal systems on May 4, 2022. The ransomware attack impacted some of Omnicell’s products and services, and the document said that Omnicell immediately implemented its business continuity plans.

 “The Company is in the early stages of its investigation and assessment of the security event and cannot determine, at this time, the extent of the impact from such event on our business, results of operations or financial condition or whether such impact will have a material adverse effect,” the document stated.

Vail Health Services Breach Impacts 17K

Vail Health Services disclosed a security incident that impacted up to 17,039 individuals and exposed some COVID-19 test results. The nonprofit Colorado health system said that it determined that a third party potentially viewed protected health information on February 11, 2022.

The unauthorized party “gained access to a restricted location in Vail Health’s computer network that had a small number of files, a subset of which contained results for COVID-19 testing performed at various Vail Health locations,” the notice stated.

Vail Health said it did not believe that the third party had copied or downloaded any files at the time of notification.

The files contained COVID-19 test results, names, birth dates, contact information, and internal reference numbers used to track individuals’ interactions with the health system.

“Vail Health hired third-party experts to help us investigate the extent of the incident, and we are further securing our systems to protect your information. We are also providing notice separately to individuals whose information was contained in the files,” the notice stated.

“While the location of the impacted files was already access-restricted to a small number of individuals with a legitimate need to work with the information as part of their duties, we have added an additional layer of security to further restrict the ability to access that file location and have removed the impacted files from that location.”

Unauthorized Party Removes Files From McKenzie Health System

Michigan-based McKenzie Health System discovered a security incident on March 11 and later determined that an unauthorized party accessed the health system’s internal systems and removed some files.

The breach impacted 25,318 individuals. McKenzie Health determined that the files contained names, demographic information, contact information, Social Security numbers, prescription information, medical record numbers, provider names, dates of service, health insurance information, and diagnosis and treatment information.

“For patients whose information may have been involved in the incident, we recommend that they review the statements they receive from their healthcare providers and contact the relevant provider immediately if they see services they did not receive,” McKenzie Health System stated.

“Additionally, for patients whose Social Security numbers may have been involved, we are offering complimentary credit monitoring and identity protection services through Experian.”

The health system has since implemented additional safeguards and security measures to prevent future incidents.