Data Breaches at Atlantic General Hospital, Lawrence General Hospital, OU Health and Other Healthcare Providers

A summary of data breach reports that were recently submitted to the HHS’ Office for Civil Rights, state Attorneys General, and the press.

Ransomware Attack at Atlantic General Hospital

Atlantic General Hospital (AGH) based in Berlin, MD, recently submitted a report of a ransomware attack to the Maine Attorney General that impacted roughly 30,704 people. AGH discovered the attack on January 29, 2023 after noticing the encryption of files. A third-party computer forensics firm helped with the investigation and confirmed the unauthorized access to files that contain patient data from January 20, 2023.

The analysis of the files was done on March 6, 2023, and it was confirmed that they included names, financial account data, Social Security numbers,
and at least one of these data types: treating/referring doctor, medical record number, medical insurance data, subscriber number, medical history data, or diagnosis/treatment details.

AGH mailed notification letters to the impacted persons on March 24, 2023. Impacted persons can avail a credit and identity monitoring services membership for one year for free. AGH gave its employees additional training and will implement more safety measures to stop the same attacks later on.

Hacking Incident at Lawrence General Hospital

Lawrence General Hospital based in Massachusetts just submitted a data breach report to the HHS’ Office for Civil Rights on February 23, 2023. Not much is known regarding the breach except that this hacking/IT incident affected 76,571 persons. As of March 29, 2023, the hospital has not yet published a notice on its website. Also, the breach is not yet posted on the Massachusetts Attorney General breach website.

Stolen Laptop Computer from OU Health

OU Medicine Inc. located in Oklahoma has submitted a breach report indicating that the protected health information (PHI) of 3,013 OU Health patients were affected. On December 26, 2022, the laptap computer of an employee was stolen. OU Health conducted an audit of the files believed to be stored in the laptop and confirmed on January 17, 2023 that unauthorized individuals may have accessed the emails that contained patient information like names, dates of birth, driver’s license numbers, account numbers, Social Security numbers, medical record numbers, names of provider, dates of service, medical insurance data, and diagnosis and treatment data.

Although there were no reported cases of patient data misuse, OU Health cannot exclude the possibility of unauthorized access to patient information. The healthcare provider notified all impacted persons and gave free credit monitoring services to those who had their Social Security numbers exposed.

Hacking incident at Majestic Care

Majestic Care provides community-based skilled nursing care across Indiana, Michigan, and Ohio. It reported a hacking incident last December 2022 that caused access problems to its IT systems. The provider detected the security breach on December 13, 2022, which resulted in making its information systems inaccessible up to December 16, 2022.

It was confirmed by a forensic investigation that the disruption was due to a malicious software program installed in its systems by an unauthorized person, who initially acquired access to the system on December 9, 2022. By February 3, 2023, the investigation also confirmed the likely unauthorized access to the system and extraction of files with personal data and PHI, such as names, birth dates, mailing addresses, phone numbers, driver’s license numbers, Social Security numbers, and data associated with the treatment and billing for healthcare.

The breach impacted 2,636 persons who got treatment services via Majestic Care Middletown Assisted Living LLC based in Indiana.

GoAnywhere Hacking Incident at Blue Shield of California

Blue Shield of California (BSC) has reported the theft of the PHI of 63,341 persons during a hacking incident. The zero-day vulnerability present in  the GoAnywhere Managed File Transfer-as-a-service (MFTaaS) program of Fortra was exploited.

BSC stated that it received notification about the breach on February 5, 2023, from Brightline Medical Associates. The company provides families and children with virtual behavioral health coaching and therapy. It was determined that there was a compromise in the file transfer application from January 28, 2023 to January 31, 2023. At that time, the attacker copied files that held sensitive data. These types of data were included in the files: name, date of birth, address, gender, phone number, Blue Shield subscriber ID number, e-mail address, plan group number, and plan name.

When Fortra discovered the breach, it immediately terminated unauthorized access to the system and took the application offline. Since then, the provider has applied the patch and rebuilt the application and gateway. BSC has given all impacted persons a free membership to credit monitoring and identity theft protection service by Experian IdentityWorks for 12 months.

The Clop ransomware group professed that it is responsible for the attacks and the data theft from 130+ companies, which include Community Health Systems.

GoAnywhere Hacking Incident at US Wellness Inc.

US Wellness Inc. based in Maryland has just reported that it was impacted by the GoAnywhere cyberattack, which led to the theft of the PHI of 11,459 members of the Blue Cross Blue Shield of Arizona.

US Wellness stated it detected the cyberattack on February 9, 2023. The following sensitive data were affected: names, addresses, dates of birth, where the services started, member ID numbers, and service locations. There was no misuse of the stolen information discovered. US Wellness stated it has taken steps to enhance security procedures to stop the same incidents later on. Impacted persons received notification regarding the breach on March 22, 2023.

Email Account Breach at Health Plan of San Mateo

Health Plan of San Mateo in San Francisco, CA recently reported an email account breach that led to the exposure and likely theft of the PHI of 4,032 plan members. The health plan discovered suspicious activity in its email environment on January 17, 2023. It was determined that an unauthorized person accessed an employee’s email account.

It is believed that the attacker accessed the account to change the employee’s direct deposit details and not to access plan member information. Nevertheless, unauthorized access to PHI cannot be excluded. The email account had a spreadsheet with names, dates of birth, member ID numbers, and some information about calls to the nurse advice line. Extra security procedures had been put in place to avoid the same incidents later on. Employees got additional training on identifying phishing attempts.