Wisconsin health cooperative suffers 533K-record breach

April 10, 2024 - Group Health Cooperative of South Central Wisconsin (GHC-SCW) notified more than 533,000 individuals of a data breach that resulted from a cyberattack. On January 25, GHC-SCW detected unauthorized access to its network and immediately isolated and secured the network.

The hacker attempted to encrypt GHC-SCW’s systems, without success. However, further investigation determined that the hacker had successfully copied some sensitive data during the cyberattack. That data included names, email addresses, dates of birth and/or death, Social Security numbers, member numbers, phone numbers, and Medicare and Medicaid numbers.

“Our discovery was confirmed when the attacker, a foreign ransomware gang, contacted GHC-SCW claiming responsibility for the attack and stealing our data,” the organization stated.

GHC-SCW said that it has no indication that the exposed information has been misused, but urged impacted individuals to review communications from GHC-SCW and contact the organization if statements contain services they did not receive.

GHC-SCW worked with the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) to mitigate the harm of this incident, and has since strengthened its security controls.

Indiana ENT practice faces cyberattack

Indiana-based Otolaryngology Associates (OA) suffered a cyberattack in February that impacted more than 316,000 individuals. According to a notice posted to its website, OA discovered the February 17 attack within hours and took immediate steps to stop it.

OA maintained access to its systems and was never locked out. But on February 20 and 21, the hacker sent three communications to OA claiming to have stolen data. Further investigation determined that the hacker had exfiltrated some data from OA’s systems, largely related to billing.

OA’s medical records systems remained untouched. The information involved in the breach varied by individual, but may have included names, medical record numbers, treatment codes, appointment locations, treatment costs, addresses, email addresses, Social Security numbers, driver’s license numbers, and insurance plan numbers.

For OA staff, the impacted data may have included payroll and bank account information.

“In addition to engaging a cybersecurity response firm, OA promptly took (and continues to take) other actions to further protect its patients, staff, and systems post-incident, including implementing additional security measures,” the notice continued.

“OA continues to monitor the situation closely. OA’s cybersecurity firm has been monitoring the dark web, and at the time of this notification letter, no evidence has been found of any OA documents.”

Zuckerberg San Francisco General notifies patients of logbook loss

Zuckerberg San Francisco General (ZSFG) issued a press release regarding the loss of a paper logbook containing protected health information (PHI). In December 2023, ZSFG staff became aware that the paper logbook was missing from a secure area of a clinic within the hospital where it was stored.

The hospital’s Office of Compliance and Privacy Affairs investigated the incident and confirmed that the logbook was gone. As of April 5, the logbook had still not been found.

The logbook contained PHI obtained between January 11, 2022 and December 12, 2023 at a specific ZSFG clinic. The impacted information included patient names, dates of birth, medical record numbers, gender, dates seen at the clinic, dates of specimen collection, reason for specimen collection, and results of specimens.

“ZSFG is committed to maintaining the privacy of its patients and takes possible breaches of privacy seriously,” the notice stated. “To ensure incidents such as this do not occur again, ZSFG will conduct policy reviews and additional security training with staff to ensure this type of loss does not occur in the future in this or other clinics.”