PHI of 4.5 Million Individuals Exposed at HealthEC Data Breach
Analytics software vendor HealthEC based in Edison, New Jersey, has recently reported the exposure and potential theft of the protected health information (PHI) of 4,452,782 individuals in a cyberattack. HealthEC develops a platform for use by healthcare companies to identify high-risk patients, close care gaps, and recognize obstacles to optimal patient care. Over 1 million healthcare experts in 18 U.S. states utilize the platform.
HealthEC began sending data breach notification letters to the impacted persons on December 22, 2023; but the data breach happened a couple of months earlier. Based on the breach notification letters, unauthorized people accessed HealthEC’s systems from July 14, 2023 to July 23, 2023. The forensic investigation showed that files were extracted at that time.
HealthEC performed an analysis of the impacted files and confirmed that they included the PHI of its clients’ patients. HealthEC began sending notification letters to the impacted clients on October 26, 2023, including Corewell Health and Beaumont ACO in Michigan (1 million+ records) and MD Valuecare in Virginia (112,005 records). On December 21, 2023, the breach report was submitted to the Department of Health and Human Services’ Office for Civil Rights indicating that 4.52 million individuals were affected.
The compromised data varied from one patient to another and might have included names together with at least one of these data: address, Social Security number, birth date, medical record number, diagnosis and diagnosis codes, prescription data, mental/physical condition, name of provider, subscriber number, beneficiary number, Medicare/Medicaid ID number, patient account number, patient ID number, and treatment cost details. HealthEC is giving the impacted persons free credit monitoring services. Security had been improved to avoid other data breaches later on.
HealthEC is the second company to encounter a data breach that has impacted over 1 million Corewell Health patients in 2023. Michigan Attorney General, Dana Nassel, is seeking the introduction of new legislation in the state requiring prompt notifications in case of a data breach, as in both cases that occurred, Michiganians waited a couple of months to find out that their sensitive health information was stolen.
Fallon Ambulance Service Data Breach Impacts Over 911,000 People
Legal counsel for Transformative Healthcare, a medical, transportation & logistics firm based in Newton, MA, has informed the HHS’ Office for Civil Rights that a data breach it encountered has impacted 911,757 people. The data breach impacted individuals who previously received services from Fallon Ambulance Services, Transformative Healthcare’s medical transportation arm in Massachusetts. In case of patient emergencies, Fallon is a responder in the greater Boston area. Fallon also provided administrative support for affiliated medical transportation firms.
Coastal Medical Transportation Systems acquired Fallon Ambulance Service in December 2022 and stopped business operations. To adhere to the legal requirements of data retention, Transformative Healthcare kept an archived copy of the data that was saved on the computer systems of Fallon. On or about April 21, 2023, Transformative Healthcare discovered unauthorized access to its archive. It took immediate action to secure the archive and began an investigation to find out the scope of the breach. As per the forensic investigation, an unauthorized third party accessed the archive on February 17, 2023 until April 22, 2023. At that time, the hacker copied files from the archive.
The process of reviewing the impacted files was completed on December 27, 2023. It was established that the files included names, addresses, Social Security numbers, medical data such as COVID-19 testing/ vaccination data, and data given to Fallon in association with a job application or application for work.
The information had already been removed from the archive. Fallon and Transformative Healthcare did not find any proof that suggests the misuse of data. Impacted patients received breach notification by mail on December 27, 2023, as well as credit monitoring and identity theft protection services.
31,000 People Impacted by Eye Physicians of Central Florida Cyberattack
Eye Physicians of Central Florida, PLLC, recently reported the exposure and potential theft of the PHI of 31,189 patients in a cyberattack. Eye Physicians of Central Florida, which is a division of Florida Pediatric Associates, found suspicious system activity on November 5, 2023. It took steps immediately to stop the unauthorized access to its network and started a forensic investigation to find out the nature and extent of the breach.
The investigation revealed unauthorized access to areas of its system that stored patient data. During the issuance of notification letters to the impacted persons on December 6, 2023, there was no proof found that indicated the actual or attempted patient data misuse; nevertheless, as a safety precaution, impacted persons were provided free credit monitoring and identity theft protection services.
The exposed data included names, addresses, birth dates, medical diagnosis and treatment data, names of providers, dates of service, patient ID numbers, procedure codes, treatment cost data, financial account data, state ID, medical insurance data, and/or prescription details.
Eye Physicians of Central Florida stated it is checking its present guidelines and procedures associated with data security and will suggest enhancements, as needed to strengthen security.