Cyberattacks on CompleteCare Health Network, Keenan & Associates and Concentra

314,000 Patients Impacted by CompleteCare Health Network Cyberattack

CompleteCare Health Network, a health system providing patient care in southern New Jersey, reported the potential compromise of the protected health information (PHI) of 313,973 patients due to a ransomware attack in October 2023.

An unauthorized third party acquired access to CompleteCare Health Network’s computer system and tried to deploy ransomware for file encryption. CompleteCare Health Network mentioned it detected this sophisticated ransomware attack and blocked it on or about October 12, 2023. Third-party cybersecurity professionals investigated the ransomware attack to find out the details of the unauthorized activity, and if patient data was compromised. As per CompleteCare Health Network’s substitute breach notice, the health system has taken steps to stop the publishing or distribution of patients’ data. This statement seems to suggest the confirmed data exfiltration, and the ransom payment given to the threat group to stop their plan to expose the data.

CompleteCare Health Network performed an analysis of all files on the impacted systems and confirmed they contained PHI. The types of data affected differed from one patient to another and might have involved names, telephone numbers, addresses, and certain sensitive personal data and/or personal health data. Notification letters were mailed to the impacted people beginning on December 15, 2023. Every individual notification letter mentioned the exact types of information affected. CompleteCare Health Network stated there was no report received that suggest actual or attempted patient data misuse. However, as a safety measure, the affected persons were provided free credit monitoring and identity theft protection services.

Upon learning about the attack, CompleteCare Health Network immediately disabled the affected systems and started securing and improving its systems. Steps taken because of the breach include changing guidelines and procedures and system security software programs and going over how patient information is saved and managed. Since the ransomware attack, the system was monitored 24 hours a day by third-party cybersecurity professionals. CompleteCare Health Network has involved top cybersecurity providers to help with keeping track of its system for the long term.

Keenan & Associates Data Breach Impacts Over 1.5 Million People

The insurance broker Keenan & Associates based in Torrance, CA submitted a cybersecurity incident report to the Maine Attorney General that has impacted 1,509,616 people. Keenan & Associates is associated with AssuredPartners NL, one of the biggest brokerage companies in the U.S. The firm has clients in various fields, including education, healthcare, and the public sector.

The firm detected the cybersecurity incident on Sunday, August 27, 2023 upon noticing the disruption in some of its network servers. Action was quickly undertaken to control the attack and separate the impacted network servers. Third-party cybersecurity professionals investigated the incident to find out the nature and extent of the breach. Based on the forensic investigation, its internal systems were accessed at various times from August 21, 2023 to August 27, 2023. At that time, selected files were extracted from its systems. A number of those compromised files included personal information furnished by its clients together with several employee information. The analysis of those files revealed that they included names along with at least one of these data: birth date, passport number, Social Security number, driver’s license number, medical insurance data, and general health data.

Keenan & Associates stated supplemental security measures were implemented to improve network, system, and data security, and its security procedures will still be assessed to know whether action still must be taken to toughen cybersecurity protection. The attack was reported already to the Federal Bureau of Investigation (FBI), which has begun its investigation.

Although data theft was established, Keenan & Associates did not receive any report of attempted or actual misuse of the stolen information. As a safety measure, impacted persons were provided free credit monitoring, and identity theft protection services. There was no public mention of the names of the impacted clients, thus it is uncertain at this point if the breach is reportable as per HIPAA.

About 4 Million Concentra Patients Impacted by PJ&A Data Breach

Physical and occupational health provider, Concentra based in Texas, reported that it was impacted by the cyberattack on PJ&A, its transcription service provider. PJ&A already sent a breach report to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) indicating that more or less 9 million patients were affected; but a few PJ&A clients, including Concentra, have decided to submit a breach report to OCR themselves.

On January 9, 2024, Concentra reported the compromise of the PHI of 3,998,162 patients because of the PJ&A cyberattack. Including this the total number of impacted persons is now up to around 14 million. This healthcare data breach is currently the biggest in 2023. That figure will probably increase further, though it is not known by how much because PJ&A has not publicly mentioned the clients that were affected nor the total number of healthcare records exposed because of the attack.

The medical transcription firm based in Nevada and the impacted clients are facing lawsuits because of the data breach. There are a minimum of 40 lawsuits already filed against PJ&A for negligence and not implementing reasonable and proper cybersecurity steps to secure sensitive health information from its clients. Several of the lawsuits made the impacted healthcare providers co-defendants.

According to Concentra, the data exposed includes complete names and at least one of these data: address, birth date, medical record number, admission diagnosis, hospital account number, and date(s) and time(s) of service. Many individuals also had their Social Security number exposed, the insurance data and clinical data from medical transcription records like lab and diagnostic test results, prescription drugs, the name of the treatment center, and the name of healthcare companies. It was not mentioned if credit monitoring and identity theft protection services were offered. Concentra has instructed the impacted people to keep track of their accounts carefully for indications of misuse of their data and to set a fraud alert on their credit records.

Hackers are targeting business associates of HIPAA-regulated entities because they usually keep huge amounts of sensitive information. A breach of this level normally raises concerns about the implementation of security measures questioning how the hackers could have gained access to a lot of data. Considering the high risk of cyberattacks, Concentra should have implemented network segmentation to make sure that in case of security breaches, hackers can only access limited information.