Data Breaches Reported by Seven Healthcare Providers

Johns Hopkins Investigation of Cyberattack and Data Breach

Johns Hopkins Health System and Johns Hopkins University are looking into a cyberattack and data breach that occurred on May 31, 2023
targeting a popular software program. Although there was no mention of the targeted tool in the attack, the date of the breach is the same as the date of the attacks on the MOVEit Transfer managed file transfer solution by Clop/FIN11.

The data breach investigation is still in progress, but the preliminary information suggests that sensitive personal data and financial details were affected, such as names, contact details, and health billing data. Affected individuals will receive notifications in the following weeks as soon as the entire scope of the breach is confirmed. Johns Hopkins has stated that it will provide credit monitoring services to impacted persons. Meanwhile, Johns Hopkins prompts all students, teachers, and their dependents to do something immediately to secure their personal data, such as completing the evaluation of their credit reports, statements, and accounts with strange activity, and getting an alert for fraud and credit freeze by a national credit bureau.

At this point, the number of individuals affected is still not clear.

PHI of 33,000 Maimonides Medical Center Patients Compromised in Cyberattack

Maimonides Medical Center located in Brooklyn, NY reported the unauthorized access to the protected health information (PHI) of around 33,000 patients that was saved on its systems. The medical center discovered the security breach on April 4, 2023 and immediately blocked the unauthorized access. The forensic investigation established the first access happened on March 18, 2023.

The analysis of impacted files showed that most persons just had their names, addresses, and selected clinical data compromised, for example, diagnoses and treatment data; nevertheless, for some people, their Social Security numbers were also compromised. Impacted persons were provided two years of free credit monitoring and identity theft protection services. The medical center hired third-party cybersecurity specialists to look at system security and be sure that enough safety measures were set up, and extra authentication steps were recently enforced.

iSpace Inc. Cyberattack Affects 24,400 Individuals About Data

iSpace, Inc., a company offering insurance eligibility services, has lately begun informing 24,382 people regarding a cyberattack it identified on February 5, 2023. In its notification letter sent to the California Attorney General on May 31, 2023, iSpace mentioned that the forensic team confirmed the occurrence of a system compromise and exfiltration of files from January 30 to February 5, 2023.

The evaluation of the affected files showed that they included names, birth dates, Social Security numbers, diagnosis details, medical insurance group/policy numbers, subscriber numbers, medical insurance data, and prescription details. During the issuance of notifications, there was no report of actual or attempted misuse of the impacted individuals’ data. iSpace stated it employed the assistance of security experts to examine its privacy and security guidelines and practices and will change them as necessary. The late issuance of notifications was because of the long scrutiny and data analysis process, which was finished on March 3, 2023, and the following confirmation of contact details.

Ransomware Attack at Richmond University Medical Center

Richmond University Medical Center (RUMC) located in West Brighton, NY has reported its complete recovery after encountering a ransomware attack in early May. The attack compelled the medical center to deactivate systems and initialize its emergency procedures, and so employees noted patient data by hand as systems were re-established. The investigation of the ransomware attack is in progress to find out the scope of patient information compromised. Affected individuals will receive notification letters after the completion of that process.

PHI of 181,700+ Great Valley Cardiology Patients Exposed

Commonwealth Health Physician Network-Cardiology, also known as Great Valley Cardiology based in Scranton, PA, has informed 181,764 present and past patients concerning a cyberattack and data breach it identified on April 13, 2023. The forensic investigation stated that the data possibly exposed during the attack contained names along with addresses, dates of birth, passport numbers, Social Security numbers, driver’s license numbers, credit/debit card and bank account details, diagnosis, prescription drugs, laboratory test results, and medical insurance/claims details.

Hackers initially acquired access to the systems of Great Valley Cardiology on February 2, 2023. It had access to the systems until April 14, 2023 when the healthcare provider secured its systems. The Department of Homeland Security notified the healthcare provider about the attack. Systems access was acquired due to a successful brute-force attack.

Impacted persons received free credit monitoring and identity theft protection services for two years as a safety measure, even though there was no misuse of patient data reported due to the data breach.

EpiSource Reports Data Breach

EpiSource, the medical coding vendor based in Gardena, CA has reported the potential exposure and compromise of the PHI of patients of its healthcare customers during a cyberattack on its Amazon Web Services (AWS) environment in February 2023.

EpiSource detected the cyberattack on its AWS account on February 20, 2023. The investigation affirmed that an unauthorized person accessed its AWS environment from February 19 to 21, 2023. The forensic investigation affirmed on April 20, 2023, the potential access and theft of health and personal data, such as names, birth dates, addresses, telephone numbers, medical record numbers, health plan ID numbers, provider data, diagnoses, and prescription drugs. EpiSource stated it has enhanced its security controls and tracking practices after the attack. Affected people received one year of free identity theft protection services.

The incident is not yet posted on the HHS’ Office for Civil Rights breach website. Hence, the number of affected individuals is currently uncertain.

25K UPMC Patients Affected by Business Associate Data Breach

University of Pittsburg Medical Center (UPMC) has reported that around 25,000 patients were impacted by a data breach that occurred at a business associate offering billing and collection services. Intellihartx LLC encountered the data breach and sent notifications to the impacted UPMC patients. The breached information included names, Social Security numbers, addresses, and other personal data. Free credit monitoring services were provided to the victims. Intellihartx submitted the breach report to the Maine Attorney General indicating that 489,830 persons were affected.