Data Breaches Reported by Idaho Department of Health and Welfare, Utah Department of Health and Human Services and Other Healthcare Providers

Data Breach at Claims Processor Affects Idaho Medicaid Recipients

The Idaho Department of Health and Welfare reported the potential access or theft of the personal data of 2,501 Medicaid recipients in a data breach that occurred at Gainwell Technologies, its claims processor. An unauthorized person acquired credentials that permitted access to the Gainwell website and to information including names, billing codes, ID numbers, and treatment data.

The breach was uncovered on May 12, 2023, and after an investigation and evaluation, impacted persons were informed on June 9, 2023. The affected persons received credit monitoring and identity theft protection services.

Utah Department of Health and Human Services Informs 5,800 Health Plan Members About Mailing Error

The Utah Department of Health and Human Services (DHHS) has reported the impermissible disclosure of the protected health information (PHI) of 5,800 Medicaid recipients because of a mailing error. The error resulted in the accidental grouping of the benefit letters together and sent to the wrong persons. Upon discovery of the error on May 8, 2023, the mailing process was stopped to avoid continuing impermissible disclosures.

The benefit letters contained Medicaid benefit details, however, just about 200 of the 5,800 persons impacted had either their Social Security number or Medicare health insurance claim number (HICN) exposed. Those people received free credit monitoring services. The DHHS stated that together with its business associate, Client Network Services (CNSI), they are making sure the error is fixed and system screening and quality standards are improved.

Data Breach Impacts 33,800 Patients at Atlanta Women’s Health Group

Atlanta Women’s Health Group, P.C. lately announced the exposure and potential theft of the PHI of around 33,839 present and past patients as a result of a cyberattack in April 2023. The health group detected a security breach on April 12, 2023, and engaged third-party cybersecurity specialists to find out the nature and extent of the breach. The investigation affirmed that patient data had been accessed, however, the breach report didn’t say if that data was extracted from its systems. As per the Atlanta Women’s Health Group, during the issuance of the notification letters, there was no proof found that suggests the misuse of patient information.

For most patients, the data compromised in the attack only included names, dates of birth, patient ID numbers, and other data that could have been a part of medical files. Third-party cybersecurity specialists helped to apply extra cybersecurity procedures to stop more data breaches. Impacted patients are being urged to keep track of their credit statements, health account reports, and explanation of benefit forms for dubious transactions.

16,000 Blue Cross Vermont Members Impacted by January Cyberattack

Around 16,000 members of Blue Cross Vermont health plans had their PHI exposed in a January 2023 cyberattack. Attackers accessed its systems by exploiting a zero-day vulnerability in Fortra’s GoAnywhere MFT file transfer solution and stole sensitive information including names, dates of birth, addresses, medical data, and insurance details. About 5% of the impacted persons likewise had their financial data stolen.

Around 13,700 of the impacted persons were Vermont Blue Advantage Health Insurance Plans members, about 2,250 persons were Vermont Blue Advantage Plans members, and the rest of the impacted persons were members of other insurance programs. NationsBenefits, the business associate that used the GoAnywhere MFT solution, sent the notification letters to impacted persons. NationsBenefits has provided 24 months of free credit monitoring services to affected individuals.

12,317 New Horizons Medical Patients Affected by Data Breach

New Horizons Medical, Inc. based in Massachusetts, a psychiatry, mental health, and substance use treatment services provider, has lately submitted a data breach report to the Maine Attorney General indicating that up to 12,317 patients were affected. The provider detected unauthorized network access on April 19, 2023, and launched a third-party forensic investigation to find out the nature and extent of the breach of patient information. The investigation showed that unauthorized persons accessed its network from February 12, 2023 to April 23, 2023 and potentially viewed or exfiltrated patient data.

The review of the impacted files showed they included names together with at least one of these types of data: address, birth date, Social Security number, financial account data, driver’s license number, medical insurance plan member ID, medical records number, claims information, diagnosis, and prescription details. New Horizons Medical sent notification letters to impacted persons on June 16, 2023 and offered free credit monitoring and identity protection services to qualified persons. The provider likewise confirmed that extra security and technical measures were implemented to further secure and keep track of its data systems.

CareNet Medical Group Announces Data Security Incident

CareNet Medical Group located in New York has begun informing 3,359 patients about the theft of some of their PHI in a security breach. The breach notice doesn’t mention when the security incident was discovered but the investigation showed on April 26, 2023, that an unauthorized person accessed its network from May 9, 2022 to June 4, 2022. At this time period, the hacker copied files from its network.

The breached data included complete names, addresses, bank account numbers/routing numbers, driver’s license numbers, birth dates, Medicare numbers, medical reference numbers, mobile phone numbers, residence telephone numbers, medical insurance details, Social Security numbers, and email addresses. CareNet sent notification letters to impacted persons on June 2, 2023, and offered free credit monitoring services to those who had their Social Security numbers exposed. The medical provider did not explain why it took about 11 months to know which patient data were compromised.

Vincera Institute Encounters Ransomware Attack

Vincera Institute based in Philadelphia, PA has reported that it encountered a ransomware attack last April 29, 2023. It took quick action to protect its systems to avoid further unauthorized network access and patient data compromise. Cybersecurity experts were called in to look into the incident. Vincera Institute stated in its June 20, 2023 press release that the data breach investigation is in progress, however, it has been confirmed that the attackers got access to sections of its network that held patient data; nevertheless, there is no unauthorized access to patient data or misuse discovered.

The files possibly accessed in the attack included complete names, telephone numbers, addresses, email addresses, birth dates, Social Security numbers, medical backgrounds and treatment data, insurance details, and other data given by patients. Security measures were improved as prompted by the incident, and tracking procedures were enhanced.

The four breach reports submitted to the HHS’ Office for Civil Rights last June 20, 2023 covered Vincera Imaging LLC with 5,000 affected individuals, Vincera Surgery Center with 5,000 affected individuals, Vincera Rehab LLC with 5,000 affected individuals, and Core Performance Physicians, also known as Vincera Core Physicians with 10,000 affected individuals.

 

Author: Joe Murray

Joe Murray is the Editor-in-Chief of HIPAA 101, where he leads the writing team in delivering high-quality news and insights on HIPAA regulations. With over 15 years of experience in healthcare journalism, Joe has established himself as a trusted writer. At HIPAA 101, Joe is dedicated to providing healthcare professionals and administrative staff with accurate, timely, and comprehensive information to help them navigate the complexities of HIPAA.