Cyberattacks Reports Involving the State of Maine, Greater Rochester Independent Practice Association, Tri-City Medical Center, and Crystal Run Healthcare

MOVEit Hack Impacts 1.3 M Individuals According to the State of Maine

The state of Maine has reported that it was impacted by the massive hacking of the MOVEit file transfer tool Progress Software. The state found out about the vulnerability on May 31, 2023 and fixed the vulnerability as soon as Progress Software released a patch; nevertheless, the Clop hacking group already exploited the vulnerability and downloaded files that contained sensitive information from May 28, 2023 to May 29, 2023.

The files included the sensitive information of state residents, workers, and those who obtained services from state organizations. 10% to 30% of employees worked at the Department of Education and over fifty percent worked at the state Department of Health and Human Services. The compromised data included names, birth dates, driver’s license numbers, health data, and Social Security numbers.

Based on the notice submitted to the Maine Attorney General, the information of 1,324,118 persons was affected, including 534,194 Maine residents. Notification letters are currently being sent and free credit monitoring services were provided to those whose Social Security numbers were compromised or stolen.

MOVEit Hacks Affect Greater Rochester Independent Practice Association

Greater Rochester Independent Practice Association (GRIPA) located in New York was likewise impacted by the MOVEit hacks. GRIPA mentioned it discovered the breach on May 31, 2023 because Progress Software provided the patch. Its forensic investigation affirmed on June 5, 2023 the exfiltration of files from its MOVEit server that contained patients’ protected health information (PHI). A third-party vendor analyzed the files, which was finished on September 1, 2023.

GRIPA stated that medical data were not exposed and the affected information was minimal. Impacted persons received information about which information was impacted in their notification letters. The breached data contained info including the name of their physician, date of last consultation, and prescription data. In case Social Security numbers were compromised, impacted persons can subscribe to free credit monitoring services.

The breach report was submitted to the HHS’ Office for Civil Rights indicating that about 79,156 persons were affected.

Cyberattack on Tri-City Medical Center

Tri-City Medical Center based in Oceanside, CA, is presently addressing a cyberattack that has compelled it to take selected systems off the internet. On November 9, 2023, the hospital was directing ambulances to different hospitals as a safety measure, though the medical center stated it is ready to handle emergency cases that might turn up in private cars and that it is working together with other healthcare companies locally to make sure that healthcare services are given.

A forensic investigation has been started to find out the nature and extent of the attack and whether there was theft of sensitive information. More details will be published as the investigation moves along.

Potential Cyberattack on Optum Medical Group’s Crystal Run Healthcare

Crystal Run Healthcare located in Middletown, NY, which was bought by Optum Medical Group, reports it is encountering system problems that are affecting a number of its services, causing longer than normal wait times. The problem began on or about November 3, 2023, and since November 10, 2023, the healthcare company has not yet resolved the issues. The reason for the disruption was not mentioned in the notice, however, it is assumed that it involved a cyberattack.

Butler County Reports October Cyberattack

Butler County based in Pennsylvania has reported that it has encountered a data security breach. The attack was discovered at the beginning of October, and by the end of November, it was verified that the individual behind the attack had acquired access to personally identifiable information (PII), primarily associated with criminal court proceedings. The analysis of the impacted information is in progress and, at this time of the investigation, there is no confirmation yet regarding the exact data that was stolen and how many people were impacted.

Notification letters shall be sent to the impacted persons when the analysis is over and county officials stated it will offer credit monitoring services. This is the county’s second security breach. In September, the account of a jail employee was accessed compromising PII.

Northern Iowa Therapy Reports Scope of Security Incident in March 2023

Northern Iowa Therapy (NIT) based in Waverly, IA recently reported the exposure of the data of 5,100 patients. The privacy breach was initially discovered on March 10, 2023, because NIT found a small number of patient data in an account not affiliated with NIT. Third-party forensic specialists investigated the incident. On June 21, 2023, NIT first reported the security incident and performed an evaluation of the documents affected. On October 4, 2023, exposure of patient data was confirmed. Contact data was then verified, and notification letters were dispatched on October 27, 2023.

The compromised data differed from person to person and might have contained names, addresses, birth dates, email addresses, telephone numbers, medical data, Medicare IDs, mental/physical condition, driver’s license numbers, Social Security numbers, diagnoses, treatment data, dates of service, billing & claims data, patient account numbers, and medical insurance details.

NIT stated it constantly examines and changes its security procedures to improve the privacy and security of stored personal data and will keep on doing so.

West Central District Health Department Informs Patients Regarding May 2023 Cyberattack

The West Central District Health Department (WDCHD) located in Nebraska has reported unauthorized access to its system and the exposure of patient data. The forensic investigation affirmed that particular sections of its system were accessed from May 18, 2023 to May 23, 2023, and the analysis of the impacted files was done on September 18, 2023.

In its November 13, 2023, breach announcement, WDCHD reported the exposure of information including names along with at least one of the following: driver’s license number, Social Security number, state identification number, and/or financial account number. Free credit monitoring and identity theft protection services were provided to the impacted persons.

The incident is not yet showing up on the HHS’ Office for Civil Rights breach portal, thus the number of affected individuals is still uncertain.