Aesto Health and Motion Picture Industry Health Plan Report Data Breaches

Software company Aesto Health based in Birmingham, AL provides services to assist healthcare companies and medical providers in sharing, organizing, and securing patient data. It has been reported that the company just encountered a cyberattack that resulted in disruption to some internal information technology systems.

Aesto Health discovered the security breach on March 8, 2022, and took steps right away to stop the unauthorized person from further accessing its systems. A third-party computer forensics firm helped with the investigation and confirmed that an unauthorized person acquired access to the impacted systems starting December 25, 2021 until March 8, 2022.

Throughout that time frame, selected files had been extracted from a backup storage unit that contain radiology reports originally from Osceola Medical Center (OMC) in Wisconsin. An evaluation of the impacted records affirmed they comprised the protected health information (PHI) of patients, such as names, birth dates, doctor names, and reports of results associated with radiology imaging done at OMC. There were no Social Security numbers or financial records accessed or stolen. The systems and electronic medical records of OMC were not affected. Aesto Health mentioned it implemented additional safety measures and technical security measures to give added protection and monitoring of its systems.

The breach report has been submitted to the HHS’ Office for Civil Rights indicating that 17,400 patients were affected.

Motion Picture Industry Health Plan Notifies Members Regarding Unauthorized Disclosure of PHI

The Motion Picture Industry Health Plan (MPIHP) has reported an impermissible disclosure of the PHI of 16,838 plan members because of a mismailing incident. MPIHP discovered a mailing error on March 31, 2022. Because of that incident, the information of plan members was mailed to the wrong addresses. In all cases, the letter supposed to be received by one MPIHP member was mailed to the wrong MPIHP member.

The letters did not include any medical data or health claims data. They only included the name, address, hours worked, the last four numbers of the Social Security number of a member, and the latest dates of eligibility. MPIHP already sent the notification letters to inform all the impacted persons to the previous address given by those members. Impacted persons received offers of free one-year identity monitoring services. MPIHP mentioned that it found the specific cause of the error and took steps to avoid the same mismailing incident from happening again.