Data Breaches Reported by Southern Association of Independent Schools, Harris Health Systems, New England Life Care and Other HIPAA Covered Entities

Highly Sensitive School Records of 700,000 Individuals Exposed on the Web

Highly sensitive data of 682,438 teachers and students from independent schools were left accessible to the public online without requiring a password. Security researcher Jeremiah Fowler discovered the compromised 572.8 GB database and tracked the files in the database to be from the Southern Association of Independent Schools, Inc (SAIS).

The database included highly sensitive data of teachers and students. Every student file contained a picture of the student, and their home address, birth date, age, medical data, and Social Security number. Fowler stated he found third-party security information that contained particulars of problems in school security, the camera locations, access and entry areas, active shooter and lockdown notices, school maps, teacher background records, financial budgets, and more. Fowler immediately informed SAIS, which quickly secured the database.

Fowler could not find out the duration of exposure of the database and when it was used by unauthorized persons. He mentioned the database was a valuable resource for cybercriminals on varied levels. The database was stored in a cloud database and was wrongly set up to be without password protection. The database seemed to be the primary server of SAIS, and the exposure didn’t seem to be because of a vendor settings problem.

Harris Health Systems Reports 225,000-Record Data Breach

Harris County Hospital District, dba Harris Health System, has lately announced a data breach impacting 224,703 patients. On June 2, 2023, Harris Health System received notification concerning the identification of a zero-day vulnerability in the MOVEit Transfer file transfer solution. The vulnerability was promptly resolved; nevertheless, the forensic investigation showed hackers had taken advantage of the vulnerability on May 28, 2023, and extracted files from the database.

The analysis of the impacted files showed they included data like names, addresses, dates of birth, medical record numbers, Social Security numbers, immigration standing, driver’s license numbers/ other government-issued ID numbers, medical insurance data, procedure data, treatment expenses, diagnoses, prescription drugs, names of provider, and dates of service.

Harris Health System claimed it has patched the vulnerability and took extra steps to enhance the protection of its MOVEit server. Impacted persons were informed regarding the breach on July 21, 2023, and those whose Social Security numbers were exposed received credit monitoring and identity theft protection services for free.

New England Life Care Announces Data Breach of 51,854 Records

New England Life Care based in Portland, ME states it discovered a security breach on May 24, 2023, that interrupted its IT systems. The incident was quickly secured as a third-party cybersecurity agency carried out a forensic investigation. The analysis affirmed that the compromised files included patient information like names, addresses, equipment/service details, and patient standing (active/discharged).

The 51,854 impacted patients received notification via mail on July 21, 2023. New England Life Care stated extra safety and technical measures were enforced to avoid the same occurrences later on.

Park Royal Hospital Reports Unauthorized Email Account Access

Park Royal Hospital located in Fort Myers, FL identified unauthorized access to the email account of an employee. The security incident was discovered on May 15, 2023. It was confirmed by the forensic investigation that the email account was compromised on May 8, 2023. The email account included protected health information (PHI) like patient names, provider names, treatment dates, diagnosis, and treatment details. The hospital stated extra safety measures and technical security measures were enforced to further secure and keep track of its systems.

The investigation of the incident is still in progress, after which the notification letters will be sent by mail. Park Royal Hospital already reported the breach to the HHS’ Office for Civil Rights indicating that at least 500 people were affected.

Email Accounts Breach at Unified Pain Management

Konen & Associates, dba Unified Pain Management based in Texas, has lately informed the HHS’ Office for Civil Rights regarding an email account breach affecting approximately 500 records. On March 21, 2023, it detected suspicious activity in its company email accounts. Steps were quickly undertaken to avoid continuing unauthorized access. A third-party digital forensic company carried out an investigation; nevertheless, it cannot be determined whether any data inside the email accounts were accessed or stolen.

The analysis of the emails affirmed that they included data like patient names, addresses, medical insurance policy numbers, payment details, Social Security numbers, and medical data for instance treatment and diagnosis data. Steps were undertaken to enhance email security and impacted persons were provided free credit monitoring and identity theft restoration services.

Around 170,450 Patients Impacted by Chattanooga Heart Institute Cyberattack

The Chattanooga Heart Institute (CHI) based in Tennessee has lately reported that it discovered a cyberattack on its system on April 17, 2023. Immediate action was undertaken to avoid continuing unauthorized access. A third-party forensics company investigated the attack to find out the nature and extent of the attack. It was confirmed that unauthorized persons acquired access to its system from March 8, 2023 to March 16, 2023. Then, on May 31, 2023, the attackers copied files that contain sensitive patient information.

The attack did not compromise CHI’s electronic medical record system; nevertheless, the files extracted from its system were identified to include names, email addresses, mailing addresses, telephone numbers, dates of birth, Social Security numbers, driver’s license numbers, account data, medical insurance details, diagnosis/condition data, laboratory results, medicines, and other demographic, medical, or financial details. CHI will send notification letters to the impacted persons soon and will offer identity theft restoration services, credit monitoring, and fraud consultation.

The breach report was submitted to the Maine Attorney General indicating that around 170,450 persons were affected. Although CHI didn’t reveal the cybercriminal group that was responsible for the attack, there was an announcement from the Karakurt group that it is behind the attack. Karakurt is a fairly new threat actor without qualms regarding attacking healthcare companies.