Data Breaches at Manchester Ophthalmology, Cook County Health and UnitedHealthcare

A cyberattack on Manchester Ophthalmology in Connecticut allowed attackers to gain access to patient data. On November 25, 2019, the eye care provider discovered the cyberattack when employees detected strange activity on its system. A third-party technology company helped investigate the incident and found later that day the system access by hackers who tried to deploy ransomware. The hackers gained network access from November 22, 2019 to November 25, 2019. Manchester Ophthalmology was able to immediately terminate remote access and prevent data encryption.

There is no evidence found that indicates the attackers accessed or downloaded any patient data, however, the investigators confirmed that some patient data were not backed up and cannot be retrieved. Manchester Ophthalmology lost the following types of information: patient names, medical histories, and information on the care received by patients at Manchester Ophthalmology.

Patients were instructed to be careful and keep track of their explanation of benefits statements and accounts for any indication of data fraud. Manchester Ophthalmology gave employees further training on the proper backing up of all data.

The breach summary sent to the Department of Health and Human Services’ Office for Civil Rights states that the security breach impacted around 6,846 patients.

Mailing Error at Cook County Health

Cook County Health based in Chicago, IL began informing 2,713 people regarding the error in sending some of their protected health information (PHI) to a third-party vendor. The information pertaining to people taking part in a #keepingitLITE research was forwarded to a vendor who was supposed to help mail research data.

The listing of research participants, including their names, physical and email addresses, was mailed to the vendor prior to signing a business associate agreement (BAA). A BAA is proof of a vendor’s agreement to employ safety measures to protect data privacy and security. Without having a BAA, Cook County Health is not assured that the vendor has satisfactory safeguards in place.

Steps were already taken to make certain the same error won’t happen again in the future.

Data Breach at UnitedHealthcare

On January 31, 2020, the health insurance provider, UnitedHealthcare in Minnetonka, MN, reported a data breach in 2019 which resulted in the potential compromise of the private data of some of its clients in South Carolina.

UnitedHealthcare knew about the data security breach on December 10, 2019 and learned that an unauthorized person accessed members’ health information via its member portal sometime on July 30, 2019 to Nov 13, 2019. The compromised information only included the members’ first and last names, medical plan data, and medical claims information.

UnitedHealthcare reported the incident to law enforcement and is helping with the investigation. The health insurer already took steps to stop other similar breaches in the future. The breach was published in HHS’ Office for Civil Rights breach portal indicating that 934 people were impacted.