Software Vulnerability Triggers Rite Aid Data Breach, 24K Impacted

July 26, 2023 - Rite Aid recently revealed a major data breach that potentially left the personally identifiable information (PII) of 24,400 customers exposed to threat actors.

The issue came to light on May 31, 2023, when a vendor partner alerted Rite Aid about a vulnerability in their software. The officials were informed that this vulnerability had been exploited by an unidentified third party.

Promptly responding to this, Rite Aid not only updated the software using the patch provided by the vendor but also initiated an extensive review of their systems.

This investigation led to a concerning discovery; unknown entities had accessed specific files belonging to the company.

The exposed PII included the patient's first and last names, dates of birth, addresses, prescription data, which includes medication names and fill dates, prescriber information, and in some cases, limited insurance data such as the plan name and cardholder ID.

READ MORE: Average Cost of Healthcare Data Breach Reaches $11M

However, Rite Aid specifically noted that sensitive information, including social security numbers and financial data such as credit card numbers, were not part of the breached data.

“We regret that this incident occurred. We immediately reported it to law enforcement as well as appropriate federal and state regulators,” Rite Aid officials stated. “We take our obligation to safeguard personal information very seriously and are alerting consumers about this issue in case they would like to take any steps to help protect themself. Consumers are entitled under US law to one free credit report annually from each of the three nationwide consumer-reporting agencies.”

Tampa General Hospital Data Breach Impacts 1.2M

Tampa General Hospital (TGH) notified nearly 1.2 million patients that their personal data might have been leaked in a recent data breach.

On May 31, 2023, TGH identified and responded to unusual activity on its computer systems. Unbeknownst to the healthcare provider, unauthorized third-party actors had already gained access to its system, beginning on May 12 and undetected until May 30.

The report unveiled that the third parties had potentially accessed an array of patient information during the 18-day breach. This data included patients' names, addresses, phone numbers, birth dates, Social Security numbers, health insurance details, medical record numbers, patient account numbers, and dates of service.

READ MORE: Imagine360 Suffers Third-Party Data Breach, 112K Impacted

However, the breach's scope was not as bad as it could have been, the hospital stated.

With TGH’s monitoring systems and professional technology team, the hospital was able to avert the encryption of its data which could have impeded the hospital's capacity to care for patients.

The extent of the data breach, while significant, was effectively contained, preventing a worst-case scenario.

Peachtree Orthopedic Clinic Suffers Cyberattack

Atlanta-based Peachtree Orthopedics has recently disclosed a cyberattack that affected its system, as per the data breach notice published on its website.

A total of 34,691 individuals were reported to be impacted by this breach, with the notification to the affected parties being released on July 17, 2023, several months after the initial discovery of the breach.

READ MORE: HCA Healthcare Suffers Data Breach, 11M Patients Impacted

Peachtree Orthopedics first detected unauthorized access to its computer network on April 14, 2023. The organization promptly initiated an investigation, enlisting the aid of third-party experts to fully understand the incident's nature and scope. Additionally, local law enforcement was also informed about the breach.

The cyberattack potentially compromised a range of personal and medical information. The exposed data may include names, addresses, birth dates, driver’s license numbers, Social Security numbers, medical treatment and diagnosis details, treatment costs, financial account information, and health insurance claims or provider information.

In response to the attack, Peachtree Orthopedics has taken swift action to enhance its cybersecurity measures. Passwords for accounts have been changed and extra security precautions have been implemented to prevent similar incidents in the future.

The healthcare provider reported the breach to the Office for Civil Rights under the Department of Health and Human Services on June 19, 2023.

Henry Ford Health Discloses Emailing Phishing Attack to Patients

Henry Ford Health, a non-profit healthcare organization based in Metro Detroit, recently announced a data breach affecting 168,000 patients. The breach resulted from an email phishing scheme that potentially left sensitive patient data exposed.

The incident, which took place on March 30, 2023, involved unauthorized access to three business email accounts. Once the healthcare organization detected the breach, the compromised accounts were secured, officials confirmed.

Following the discovery, Henry Ford Health commissioned a forensic investigation which concluded on May 16, 2023. The investigation revealed that the compromised email boxes contained PHI that could have been viewed. However, it remains uncertain whether this information was actually accessed.

The potentially compromised patient data included personal and medical details such as names, gender, birth dates, ages, lab results, procedure types, and diagnoses. As of now, Henry Ford Health continues to work diligently to address the situation and prevent future incidents of this nature.

“As a result of this incident, we are implementing additional security measures and providing additional training to employees about recognizing the signs of suspicious email and what to do if they receive one,” the data breach notice stated.