Data Breaches Reported by IBM, Hospital Sisters Health System, University of Massachusetts Chan Medical School, Lifeline Systems Company and Milan Eye Center

IBM Informs Janssen CarePath Patients Concerning Unauthorized Database Access

IBM lately reported that the sensitive information of patients of Janssen CarePath, a Johnson & Johnson Health Care Systems subsidiary, has been compromised. IBM manages the software and database that is used with the Janssen CarePath platform and hence is a business associate of Johnson & Johnson. Janssen recently discovered a technique that can be employed by unauthorized persons to access the database and informed IBM, which notified the database company and fixed the problem. IBM likewise carried out an investigation to find out if unauthorized individuals accessed the database. It was confirmed that unauthorized access happened on August 2, 2023; nevertheless, it wasn’t possible to ascertain the nature of the unauthorized access and whether patient information was extracted.

Considering that patient information could have been accessed, IBM sent notification letters to the impacted Janssen CarePath consumers. The information compromised contained names along with at least one of these data types: contact details, birth date, medical insurance data, prescription drugs, and healthcare ailments. IBM has provided the impacted persons with A year of free credit monitoring services.

There’s no post yet about the incident on the HHS’ Office for Civil Rights breach website, thus the number of individuals affected is presently uncertain, but it must be a lot as there are 1.16 million patients using the CarePath system in 2022.

Cyberattack on Hospital Sisters Health System

Hospital Sisters Health System (HSHS) encountered a cybersecurity incident that compelled it to shut down part of its IT system. The telephone system was deactivated, however, most of the hospital and clinic telephone lines had been restored. The website was impacted and is currently redirecting to the domain, where patients can get regular updates.

Hospital Sisters Health System is based in Springfield, IL, and manages 15 hospitals located in Wisconsin and Illinois, which are operating following the downtime protocols until IT systems are safely restored on the internet. All emergency and hospital departments continue to be operational, and patients are being accepted and taken care of; nevertheless, patient billing services remain suspended. It is too soon to say at this point of the investigation how much patient information was compromised.

MOVEit Transfer Hack Resulted in PHI Theft

The University of Massachusetts Chan Medical School recently stated that the protected health information (PHI) of 134,394 people was breached by the Clop hacking group, which took advantage of a zero-day vulnerability identified in the MOVEit Transfer file transfer program.

The impacted persons had signed up in a state program via the medical school based in Worcester, MA, like the State Supplement Program, MassHealth Community Case Management, MassHealth Premium Assistance, or the Executive Office of Elder Affairs and Aging Services Access Points home care programs. The breached data consists of names, birth dates, addresses, financial account numbers, Social Security numbers, and medical data (diagnosis, treatment details, prescription data, names of providers, dates of service, claims data, and medical insurance data. Free credit monitoring and identity theft protection services were provided to the impacted persons.

Lifeline Systems Company Informs Patients Concerning the Cyberattack in August 2022

Lifeline Systems Company based in Marlborough, MA provides patient alarm systems. It lately sent notifications to 74,849 people regarding a data breach that happened over one year ago. Based on the notification letters, it detected strange network activity on August 6, 2022. Incident response protocols were quickly started. A third-party computer forensic investigation was begun to look into the dynamics of the incident.

The investigation affirmed that an unauthorized person accessed its systems between July 27, 2022, and August 6, 2022, and viewed selected files on its systems during that period of time. Lifeline confirmed on August 18, 2022 that the files contained data for subscribers, workers, and persons qualified to get Lifeline services. The breached information contained names, Social Security numbers, and driver’s license numbers.

Because of the period of time it took to carry out the review of documents, notification letters cannot be sent before September 7, 2023. Free credit monitoring services were provided to persons whose driver’s license number or Social Security number was exposed. Lifeline mentioned it has improved its network tracking functions and will still perform system audits to identify unauthorized activity.

Milan Eye Center Reports EHR Vendor Breach

Network of eye surgery centers, Milan Eye Center based in Atlanta, GA, has begun informing 67,336 patients about the compromise of some of their PHI during a security incident that occurred at iMedicWare Inc., its third-party vendor. Milan Eye Center stated it was notified about a data breach incident on December 9, 2022, and started an investigation that confirmed on July 24, 2023 the unauthorized access to some historical patient archives maintained by iMedicWare between May 18, 2020, and July 23, 2020.

The records contained data like names, dates of birth, phone numbers, insurance coverage data, service areas, dates of service, medical statuses, and Social Security numbers. It wasn’t possible to know precisely which patient data were viewed, hence notification letters were delivered to all people who got healthcare services on or prior to July 23, 2020. Free credit monitoring services were provided to the impacted persons.

Milan Eye Center stated that iMedicWare is no longer its electronic health record vendor and mentioned extra technical safety measures and guidelines were applied to improve data system security.