Synergy Healthcare Services Data Breach Impacts Multiple Healthcare Facilities

September 05, 2023 - Synergy Healthcare Services recently notified an undisclosed number of individuals of a healthcare data breach that impacted several long-term care facilities that it manages. Synergy Healthcare Services provides a variety of management services to nursing homes and assisted living facilities, including accounting, regulatory compliance, and human resources.

According to the breach notice, Synergy identified suspicious activity on its network in December 2022. The company engaged a third-party firm to launch an investigation, which determined that an unauthorized third party had potentially accessed certain files.

The files contained names, dates of birth, signatures, medical information, financial information, Social Security numbers, and contact information.

The breach specifically impacted patients or other individuals associated with Synergy Healthcare Services, Consulate Health Care, Raydiant Health Care, Independence Living Centers, Nspire Health Care, and their affiliated care centers.

Synergy Healthcare Services said it had no evidence that any of the information breached had been used for fraudulent purposes, but encouraged impacted individuals to remain vigilant.

Health Data Impacted by Data Breach at Children’s Dental Provider

Acadia Health, which does business as Just Kids Dental (JKD), notified 129,623 individuals of a healthcare data breach. In early August, JKD learned that its computer systems were attacked by a malicious hacker who used a program to encrypt its data.

JKD patients may have had names, addresses, birth dates, Social Security numbers, health insurance information, treatment information, medical record numbers, and health conditions exposed. The personal information of parents or guardians of patients may have also been impacted by the breach, along with current and former employees.

The information impacted varied depending on the impacted individual’s relationship to JKD. No financial information was obtained by the bad actor.

“The malicious actor confirmed to JKD that it deleted the data without distributing it, so we do not expect there to be future misuse,” the notice to impacted individuals stated.

JKD assured patients, parents, and employees that it took steps to secure and restore its systems and will continue to take measures to strengthen its security posture.

“JKD sincerely regrets any inconvenience or concern that this incident may cause you. JKD remains dedicated to ensuring the privacy and security of all information within it’s control,” the notice concluded.

Pharmacy Benefit Manager Suffers Breach

Prime Therapeutics, which acquired Magellan Rx Management in late 2022, disclosed a data breach that impacted a subset of Blue Cross and Blue Shield of Minnesota members. Prime is collectively owned by 19 Blue Cross and Blue Shield Plans. Along with Magellan Rx Management, Prime specializes in medical drug management and serves sector state government programs.

An unauthorized actor gained access to an employee’s mobile email account in July 2023, Prime explained. The email account contained member names, addresses, dates of birth, member IDs, and medication information.

“Upon discovery of this incident, Prime immediately conducted a comprehensive investigation of this matter and immediately disabled the compromised credentials,” the notice explained.

“Prime has blacklisted the unauthorized actor's IP addresses and established monitoring for any future login attempts. Prime has obtained no evidence to indicate that the information involved in this incident was actually accessed or has been misused.”

Prime recommended that impacted individuals monitor any explanation of benefits statements for irregular activity.

Milan Eye Center Suffers Third-Party Data Breach, 67K Impacted

Atlanta, Georgia-based Milan Eye Center disclosed a third-party data breach to OCR that impacted more than 67,000 individuals. On December 9, 2022, Milan Eye Center first learned that the protected health information of patients may have been compromised.

By July 2023, the eye care provider had determined that an unauthorized individual had gained access to historical patient archives maintained by iMedicWare between May 18, 2020 and July 23, 2020. The accessed records contained names, phone numbers, insurance coverage information, Social Security numbers, and health information.

“However, despite the best efforts of multiple cybersecurity experts who specialize in incidents like these, we were not able to determine the full extent of patient records accessed. As a result, we are taking the conservative step of notifying patients who received services on or before July 23, 2020 to the extent we have a last known home address,” Milan Eye Center noted.

Milan Eye Center said that it no longer uses iMedicWare as its electronic health record vendor and  has since implemented new measures to enhance the security of its own information systems, which were not impacted by this incident.