Third-Party Data Breach Corrupts Medical Records at NH Hospital

February 16, 2023 - Wentworth Health Partners Garrison Women’s Health (GWH) informed patients that a third-party data breach impacted its IT infrastructure in December 2022, making some patient information inaccessible and unrecoverable.

The breach began when one of GWH’s third-party technology service providers, Global Network Systems, suffered a network outage on December 12. Global manages the IT infrastructure and applications for GWH, including hosting its electronic medical records system.

Further investigation determined that some GWH data may have been accessed by an unauthorized party between April 29 and December 12. The incident “rendered the information inaccessible and for which there was not a backup available,” a notice to patients explained.

“In response, steps were quickly taken to explore alternative data back-up sources and restoration methods. GWH’s access to certain information, such as in specific radiology and ultrasound applications, was eventually restored and completed. During January 2-9, 2023, the GWH electronic medical record system was restored through backups which included earlier data through April 28, 2022.”

However, information entered into the electronic medical system between April 29 and December 12 was not fully recoverable since it was corrupted during the breach.

“Medical records separately maintained by a patient’s primary care physician, hospital or other providers, or possibly received by a patient’s health plan, may already describe or summarize the results or possibly contain a copy of GWH documentation of the services provided,” GWH explained.

The information included in the lost records varied by patient, but may have included medical history, genetic information, medical record numbers, procedures and lab results, claims and insurance information, and scheduling for upcoming appointments.

“The outage occurred on Global’s systems and affected information stored in Global’s environment,” GWH explained. “The outage did not impact Wentworth-Douglass Hospital’s network or any other Wentworth-Douglass Hospital core clinical system.”

GWH said it had no evidence that any information was exfiltrated or accessed by the unauthorized party. GWH providers will have conversations with impacted individuals about how the incident impacted their records personally.

Arizona Priority Care Notifies Several Health Plans of Data Breach

Arizona Health Advantage, also known as Arizona Priority Care (APC) and AZPC Clinics notified several health plans of a recent data breach that occurred in early December 2022. The breach impacted nearly 11,000 individuals in total.

On December 2, APC employees experienced difficulties in accessing some servers. Further investigation revealed that malware was present on some of APC’s servers, and a threat actor had exfiltrated data.

Members of Alignment Health Plan of Arizona and Alignment Health Insurance Company of Arizona, Blue Cross Blue Shield of Arizona, Health Net of Arizona (Centene), and WellCare Health Plans of Arizona (Centene) were impacted by the breach, APC stated.

The threat actor potentially accessed member names, dates of birth, services authorization numbers, health plan member numbers, and treatment information.

APC notified law enforcement and implemented additional security protections to prevent future incidents. APC also offered impacted individuals one year of complimentary credit monitoring.

Digital Marketing Company Breach Involves Health Data

Rise Interactive Media & Analytics, a digital marketing agency, recently reported a data breach to HHS that impacted 54,509 individuals. According to a notice on Edgepark Medical Supplies’ website, some Edgepark data previously provided to Rise was involved in the incident.

Rise first identified the data security incident in November 2022, Edgepark explained. Rise later learned that some files may have been accessed without authorization and informed Edgepark of the incident.

The file relating to Edgepark contained patient names, phone numbers, diagnoses, email addresses, expected delivery dates, and health insurance information.

Edgepark’s notice did not elaborate on why patient information was shared with a digital marketing company.

“The privacy and security of personal information is of the utmost importance to Rise and Edgepark. Rise continually evaluates and modifies its practices and internal controls to safeguard the security and privacy of personal information,” the notice concluded.