Data Breaches Reported by Rebound Orthopedics, BCBST, Orsini Pharmaceutical Services, R1 RCM, and Philips Respironics

Rebound Orthopedics & Neurosurgery Cyberattack

Rebound Orthopedics & Neurosurgery located in Vancouver, WA recently reported that it encountered a cyberattack on February 2, 2024. It detected the attack on February 3 because its computer systems, which include its patient and scheduling sites, were disconnected from the web, and the outage continued for over 2 weeks. Computer forensics experts investigated the incident and reported that an unidentified and unauthorized person accessed its system and viewed or stole files that were kept on its systems. A comprehensive analysis was performed on those files which affirmed that they included patient data though no proof shows the misuse of any data in those files.

It is uncertain at this time what data was affected since that data wasn’t provided in the sample notification sent to the Montana Attorney General. The incident is not yet posted on the HHS’ Office for Civil Rights portal, thus the number of individuals affected is uncertain. Rebound Orthopedics & Neurosurgery stated that extra security measures were applied to avoid the same incidents later on and free credit monitoring services were provided to the impacted persons for two years.

BlueCross BlueShield of Tennessee Cyberattack

BlueCross BlueShield of Tennessee, Inc. (BCBST) and Volunteer State Health Plan, Inc., also known as BlueCare Plus Tennessee, sent notification letters to approximately 2,000 persons regarding two security incidents that compromised their sensitive data.

BCBST stated it detected suspicious access attempts to its member website on or about December 19, 2023. The attempts involved logging in utilizing a combination of usernames and passwords that were from an unidentified source. The investigation found no evidence that suggests a breach of the BCBST network. It would seem that this incident was a credential stuffing attack, which is a type of attack that uses username/password combinations taken from a third-party breach by a threat actor to try to access other platform accounts.

The member website was promptly deactivated while investigating the unauthorized activity. BCBST enhanced its password security and engaged third-party forensics professionals to help with the investigation. From January 18 to January 24, 2024, BCBST discovered that a similar incident happened on August 7, 2023. The information possibly accessed during these two incidents contained names, birth dates, addresses, names of providers, subscriber IDs, group numbers and names, plan data, medical data, claims details, and user IDs and passwords. Less than 1% of the impacted people had compromised financial data. The breached data only contained IDs and passwords for those whose plan coverage concluded over two years ago.

BCBST is using new access requirements and has informed the impacted persons and provided them with identity monitoring services for free. They were likewise asked to alter their web account passwords when they log in and utilize a password that wasn’t used anywhere else. Two different reports of data breaches were submitted to the HHS’ Office for Civil Rights that impacted 1,251 and 790 persons.

Orsini Pharmaceutical Services Hacking

Orsini Pharmaceutical Services based in Illinois has recently uncovered that there was unauthorized access to the email account of an employee. The breach was discovered on January 10, 2024, and the investigation revealed that a single email account was exposed from January 8 to January 10, 2024. The email account was analyzed to determine the types of information that were exposed, which revealed that the protected health information (PHI) of 1,433 individuals was held in the account, including names, dates of birth, addresses, health insurance data, medical record numbers, diagnoses, and/or prescription details.

Orsini Pharmaceutical Services did not get any evidence that suggests that the attack was intended to acquire patient data, yet the possibility could not be eliminated. Extra safeguards and technical security procedures were put in place to secure and keep track of its systems. The affected people have been informed and offered free membership to a credit monitoring service for 12 months.

R1 RCM Data Breach Affects 16,000 Individuals

R1 RCM Inc., a revenue cycle management services provider to hospitals, announced a PHI breach involving 16,121 patients. Based on a breach notification submitted to the Massachusetts Attorney General, R1 discovered on November 23, 2023 that an unauthorized third party acquired PHI related to St. Rose Dominican Hospital de Lima of Dignity Health. However, the breach did not affect the hospital’s system.

R1 conducted a review to find out the types of data that were stolen. On January 11, R1 determined that the breached data contained names, contact details, birth dates, service location, clinical and/or diagnosis data, medical record and/or patient account numbers, and Social Security numbers. R1 has advised the impacted persons directly and has provided them with free credit monitoring and identity theft protection services for 2 years.

Philips Respironics Breach Impacts 1,125 Individuals

Philips Respironics recently submitted a breach report to the HHS’ Office for Civil Rights that affected the PHI of 1,125 persons. Although the breach was reported to OCR, the exploitation of a zero-day vulnerability in the MOVEit Transfer solution of Progress Software happened on May 31, 2023. Philips Respironics uncovered the data breach on June 5, 2023.

Forward Healthcare LLC and Rotech Healthcare, clients of Philips Respironics, had been impacted by the breach. Forward Healthcare mentioned it received notification from Philips Respironics on December 20, 2023 about the unauthorized access to the Care Orchestrator and Encore Anywhere software programs through the MOVEit vulnerability. Personal and medical data were likely exposed affecting 3,999 Forward Healthcare patients. Rotech Healthcare stated it became aware of the incident on December 26, 2024, and got a listing of the impacted individuals. The exposed data included names, contact details, birth dates, medical data associated with the therapy provided, and medical insurance data. It is presently uncertain how many Rotech patients were impacted.