Data Breaches at CorrectCare Integrated Health and Regions Hospital

CorrectCare Integrated Health, a medical claims processor, recently informed its clients about the accidental exposure of the protected health information (PHI) of some patients online and unauthorized persons may have accessed them. CorrectCare discovered on July 6, 2022 the misconfiguration of two file directories on its web server. Anyone online could access these file directories without the need for authentication.

The data breach impacted patients served by Health Net Federal Services (HNFS) in California and Mediko, Inc. in Virginia. HNFS is a business associate of the California Department of Corrections and Rehabilitation (CDCR) / California Correctional Health Care Services (CCHCS), while Mediko is Virginia’s biggest provider of medical care services to persons in correctional facilities. Approximately 80,000 persons imprisoned in facilities managed by the Louisiana Department of Public Safety and Corrections were also affected by the data breach.

CorrectCare stated that it secured the web server 9 hours after discovering the wrong configuration. The forensic investigation affirmed the exposure of the files starting January 22, 2022. The data of persons treated from January 1, 2012 to July 7, 2022 were exposed.

The information included in the exposed file directories were: names, birth dates, inmate numbers, and some health data, such as CPT codes, diagnosis codes, treatment companies, dates of treatment, and, the Social Security numbers for some persons.

Hacking Incident at Regions Hospital

Regions Hospital based in St. Paul, MN recently reported that unauthorized people acquired access to the PHI of 978 patients. It is believed that the attacker’s objective in accessing its secure system is not to steal patient information but to steal payments from a health insurance provider.

Nevertheless, because a file on the network was viewed and it contained patient data, such as first and last names and Social Security numbers, Regions Hospital decided to notify the affected individuals by mail. The hospital also offered the patients membership to an identity theft protection service for 12 months.