Exposure of Protected Health Information in 6 Recent Cyberattacks

Independent Living Systems, LLC (ILS), Florida Medical Clinic, Denver Public Schools, NorthStar Emergency Medical Services, The Bone & Joint Clinic, and Wichita Urology Group have lately reported cyberattacks resulting in the exposure and possible theft of protected health information (PHI).

Independent Living Systems

Independent Living Systems, LLC (ILS) based in Miami, FL provides managed care organizations with third-party administrative services. It recently notified the Maine Attorney General that it encountered a data breach that impacted approximately 4,226,508 people – the biggest healthcare data breach to date this 2023.

Based on the breach notification, ILS discovered suspicious activity inside its computer network on July 5, 2022. Third-party cybersecurity professionals helped ILS confirm that unauthorized people gained access to its system from June 30, 2022 to July 5, 2022, and obtained files that contain sensitive information.

ILS performed a detailed analysis of all impacted files and was given the findings of the analysis on January 17, 2023. ILS then confirmed those results and got updated contact details of the impacted persons who will be sent notification letters.

The data compromised included names, birth dates, addresses, state ID numbers, taxpayer ID numbers, Social Security numbers, financial account details, Medicaid/Medicare IDs, diagnosis codes/diagnosis data, dates of admission/discharge, mental/physical conditions, treatment details, food delivery data, prescription data, billing/claims details, and medical insurance data. The types of data differed from one person to another.

The impacted persons had earlier received services straight from ILS, through its covered entity subsidiaries: HPMP of Florida Inc (doing business as Florida Complete Care), and/or Florida Community Care LLC, or from other health plans/data owner clients.

On September 2, 2022, ILS stated it included an initial notice on its website, however, it did not issue notification letters until the analysis and validation process was done. Notification letters were sent to impacted persons on March 14, 2023. Impacted persons were provided free credit monitoring services.

ILS stated it was working on applying extra safety measures to stop more cyberattacks, which include strengthening its firewall, changing complexity prerequisites for credentials, applying extra internal security processes, updating its employee training practices, and giving its employees more training.

Florida Medical Clinic

Florida Medical Clinic has lately reported that it encountered a ransomware attack. The healthcare provider discovered the attack on January 9, 2023, and took immediate action to control the attack, which minimized data exposure, even though files were encrypted. The third-party forensic investigation revealed the attacker viewed files that included patients’ PHI; nevertheless, the electronic medical record system of Florida Medical Clinic wasn’t impacted.

In a comprehensive breach notice, Florida Medical Clinic mentioned that 94,132 files were compromised, each of which just included minimal patient data. 95% of the exposed files just contained a person’s name. The remaining files contained names, telephone numbers, birth dates, email addresses, and addresses. There was no financial data compromised, and just 115 Social Security numbers had been compromised.

Florida Medical Clinic stated it has proof of permanently deleting all stolen files, which implies the attacker received ransom payment. There was no proof found of patient data misuse. The healthcare provider sent notifications to all impacted patients and implemented extra cybersecurity measures to stop more attacks, which include changing selected system components and altering remote access practices.

The incident is not yet posted on the HHS’ Office for Civil Rights breach website. Hence, the number of affected patients is still uncertain.

The Bone & Joint Clinic based in Wisconsin

The Bone & Joint Clinic manages 7 clinics located in Wisconsin. It recently informed present and past workers and patients concerning a cyberattack that was discovered on January 16, 2023 and the resulting network disruption. As per the notification letters, unauthorized persons possibly viewed and obtained files that contain data for instance names, addresses, telephone numbers, dates of birth, Social Security numbers, medical insurance data, and diagnosis and treatment data.

Impacted persons received notification letters on March 7, 2023, and free credit monitoring and identity theft protection services for 12 months. The breach report has been submitted to the HHS’ Office for Civil Rights indicating that 105,094 individuals were affected.

NorthStar Emergency Medical Services

NorthStar Emergency Medical Services based in Tuscaloosa, AL recently announced a data breach that impacted around 82,450 patients. Based on the notification submitted to the Maine Attorney General, the provider discovered suspicious activity inside its computer system on September 16, 2022; nevertheless, it confirmed the exposure of patient data only on March 8, 2023. There is no mention in the breach notice about the time when the attackers initially acquired access to its system.

The impacted files included data like names, Social Security numbers, dates of birth, patient ID numbers, treatment data, Medicaid/Medicare numbers, and medical insurance data. NorthStar Emergency Medical Services sent notification letters to the affected persons on March 14, 2023. It also offered free credit monitoring and identity theft protection services to impacted persons and took steps to toughen security.

Denver Public Schools

Denver Public Schools has lately reported that unauthorized persons acquired access to some parts of its servers and extracted files that included sensitive employee information. The school discovered the data theft on January 4, 2023. The forensic investigation affirmed that unauthorized persons got access to its system from December 13, 2022 to January 13, 2023.

The document analysis showed that the impacted files contained names, fingerprints (if included in the file), pay card numbers/bank account numbers, Social Security numbers, driver’s license numbers, student ID numbers, passport numbers, and a number of health plan enrollment details. The breach report was submitted to the HHS’ Office for Civil Rights as including the PHI of 35,068 present and past contributors in its employer-financed health plan. The number of students affected by the data breach is uncertain. Denver Public Schools stated extra security measures were put in place to stop the same breaches later on. Denver Public Schools is providing credit monitoring and identity theft protection services to impacted persons.

Wichita Urology Group

Wichita Urology Group in Kansas has lately informed 1,493 persons about the unauthorized people who acquired access to its system and possibly accessed or acquired files that contain names, prescription data, billing data, and medical insurance details.

Suspicious activity was noticed inside its system on January 3, 2023. The forensic investigation confirmed that the attack happened on January 2. Then, on January 26, 2023, the forensic investigation confirmed the exposure of PHI; nevertheless, there was no observed patient data misuse. Technical safety procedures were improved to avoid more attacks.

 

Author: Joe Murray

Joe Murray is the Editor-in-Chief of HIPAA 101, where he leads the writing team in delivering high-quality news and insights on HIPAA regulations. With over 15 years of experience in healthcare journalism, Joe has established himself as a trusted writer. At HIPAA 101, Joe is dedicated to providing healthcare professionals and administrative staff with accurate, timely, and comprehensive information to help them navigate the complexities of HIPAA.