Data Breaches Reported by Memorial Health System and MedQuest Pharmacy

Memorial Health System based in Ohio has lately confirmed that the ransomware attack it encountered in August 2021 possibly impacted the protected health information (PHI) of 216,478 patients. Because of the ransomware attack, the health system had to get selected patients to other hospitals and cancel a few appointments to make sure of patient safety. The hospital announced the attack immediately after the breach, which happened on August 14, 2021. The investigation revealed the first breach of its network happened on July 10, 2021.

The health system reported the incident to the HHS’ Office for Civil Rights immediately, however, during that time it was not known how many people were affected. Memorial Health System found out that patient data may have been impacted on or around September 17, 2021, then had a thorough assessment of all affected files. On November 1, 2021, the scope of the breach was confirmed however it took until December 9, 2021, to verify the persons impacted and the specific types of information involved, consequently there was a delay in sending notifications. Written notices were delivered to affected people on or approximately January 12, 2022.

The breached and potentially exfiltrated information included names, Social Security numbers, addresses, medical/treatment details, and health insurance data. Affected persons were provided a complimentary membership to Kroll’s credit monitoring service for 12 months. Since then, Memorial Health System has used extra safeguards to enhance its security posture.

MedQuest Pharmacy Data Breach Affects 39,447 People

In mid-December, MedQuest Pharmacy started sending notifications to 39,447 individuals regarding the potential compromise of some of their PHI because of a cyberattack that was identified on November 18, 2021. With the help of its parent companies, Innovations Group and UpHealth Inc, and independent cybersecurity specialists, MedQuest confirmed the attackers first acquired access to its systems on October 27, 2021. The unauthorized access was prevented on October 30, 2021.

A detailed evaluation of all impacted systems showed the attackers possibly accessed or obtained the following types of data: Names, birth dates, addresses, email addresses, telephone numbers, genders, medical record numbers, medical information, prescription data, date(s) of treatment, referring doctor names, health insurance policy numbers (which include Medicare or Medicaid number), and internal MedQuest patient ID number.

MedQuest stated that the driver’s license number, Social Security Number, financial account/payment card details, medical insurance claim number, policy details, and/or claim/appeal data of a very small number of persons likewise had been exposed. All affected people have been given a one-year free membership to credit and identity monitoring services of Equifax.