Data Breaches at CareFirst Administrators, Blakehurst and Legacy Health

CareFirst Administrators (CFA) has informed 14,538 people that they were affected by the phishing attack on Conifera, its revenue cycle management vendor. Conifer detected a security breach at the end of March, and the investigation confirmed that unauthorized individuals accessed a number of Microsoft 365 accounts from March 17 to March 22, 2022. CFA received notification about the security incident on June 23, 2022.

One of the breached email accounts contained the protected health information (PHI) of CFA members, such as names, dates of birth, addresses, medical insurance data, medical information, billing and claims details, and Social Security numbers.

Conifer mentioned it has enforced extra security steps to better secure its Microsoft 365 email environment to minimize the threat of future breaches.

Legacy Health Discovers Insider Breach

Legacy Health based in Oregon has just announced a breach that affected the PHI of 7,983 patients. Based on the provider’s substitute breach notice, the Privacy Office found out on July 25, 2022, that staff had stored files that contain patients’ PHI in external gadgets with no authorization. It was confirmed by the internal investigation that the staff had transmitted files that contain patient information to a private storage device through external drives and email.

The staff who accessed patient information got suspended as the investigation was carried out. In several interviews, the staff cannot give a legitimate work reason for taking such actions. An analysis of the files showed they included patients’ names, dates of birth, dates of service, medical record numbers, provider names, medical insurance data, diagnosis and/or treatment data, and several Social Security numbers. Patients began receiving notifications on November 23, 2022.

Legacy Health doesn’t believe patient data was further exposed or misused, however, patients were instructed to keep track of their credit reports and account statements for indications of data misuse. If offered complimentary credit monitoring services to impacted patients. Legacy Health has strengthened the workforce with training about proper uses and disclosures of patient information.

Data Breach at Maryland Senior Living Facility

The senior living facility, Blakehurst in Towson, MD, recently reported the potential compromise of the personal data and PHI of present and previous workers and patients due to a cyberattack. On February 7, 2022, strange activity was discovered in its email environment. The forensic investigation confirmed a number of employee email accounts had been accessed without authorization. On August 4, 2022, Blakehurst affirmed that the compromised email accounts held patient information.

The evaluation of emails and file attachments was accomplished on September 20, 2022, and showed the potential compromise of the following information: names, birth dates, medical data, Social Security numbers, medical insurance data, financial account numbers, and driver’s license numbers. Impacted individuals were informed concerning the breach on December 6, 2022, and received offers of free credit monitoring and identity theft protection services with $1,000,000 identity theft insurance coverage. Blakehurst mentioned it took action to enhance the security of its email system to avoid the same breaches later on.

Based on the HHS’ Office for Civil Rights breach website, there were around 1,047 persons impacted by the breach.