Healthcare Data Breaches Reported byHampton-Newport News Community Services, Marywood Nursing Care Center, Health Alliance and Others

Marywood Nursing Care Center, Hampton-Newport News Community Services Board, J.D. Gilmour & Co, Health Alliance, Nabholz Construction, and United Regional Health Care System have submitted data breach reports lately.

Hampton-Newport News Community Services Board Ransomware Attack

Provider of behavioral health and intellectual and developmental disability services, Hampton-Newport News Community Services Board based in Virginia, has advised 44,312 people about the compromise of some of their protected health information (PHI) in a ransomware attack. Technical problems were encountered on November 12, 2023, and later confirmed that the problem was because of the ransomware. Third-party cybersecurity specialists helped with the investigation and troubleshooting, and they established that the threat actors acquired access to its system on September 26, 2023.

All affected files were evaluated, which affirmed the exposure of patient data. The exposed information differed among the patients and might have contained names along with addresses, ZIP codes, Social Security numbers, driver’s license numbers, birth dates, clinical details for example diagnosis/conditions, laboratory results, prescription drugs or other treatment data, claims details and insurance details. The Hampton-Newport News Community Services Board cannot ensure whether the above information was viewed or stolen during the attack. The affected patients are provided with credit monitoring and identity restoration services.

Marywood Nursing Care Center Impacts 6,178 People

Marian Village Corporation, also known as Marywood Nursing Care Center based in Massachusetts, encountered a security breach that affected the PHI of 6,178 people. The breach notification provided to the Massachusetts Attorney General doesn’t say when the breach was discovered or when it happened, just that an unauthorized person got access to its system and possibly stole data that included names, addresses, and claims data. No other data was compromised in the cyberattack. The impacted persons were provided free access to Single Single Bureau Credit Report/Single Bureau Credit Score/Bureau Credit Monitoring services for free. Marywood stated it has used extra monitoring software and will go on reviewing and improving the security of its network.

Health Alliance Affected by Cyberattack

Health Alliance located in Illinois has reported the exposure of the PHI of 6,900 members in a data breach that occurred at a subcontractor of its business associate. Health Alliance hired the services of OnTrak, which hired Keenan as subcontractor. On August 27, 2023, Keenan discovered the unauthorized access and disabled its network to control the breach. As per the forensic investigation, an unauthorized third party acquired access to information that contains health plan members’ information. Keenan informed Health Alliance concerning the breach on December 20, 2023, and provided a listing of the impacted members on January 10, 2024.

Health Alliance subsequently analyzed and matched the listing to its members’ information and sent the notification letters. Health Alliance stated these data were exposed in the incident: name, member number, address, birth date, health coverage details, and, in some instances, Social Security number. Keenan has provided the impacted patients with a membership to the Experian IdentityWorksSM Credit 3B service for 24 months.

Nabholz Construction Cyberattack

Nabholz Construction, a provider of construction-related services in Arkansas, was impacted by the Cadence Bank data breach, which compromised the PHI 5,326 of its Corporation Employee Welfare Health Plan members. Cadence Bank notified Nabholz on November 29, 2023, about the exposure of information in a cyberattack that took advantage of a zero-day vulnerability found in the MOVEit Transfer solution of Progress Software. Progress Software released a patch to correct the vulnerability on May 31, 2023; nevertheless, Cadence Bank confirmed that the vulnerability was breached from May 28 to May 31, 2023. The information compromised in the attack contained names, Social Security numbers, birth dates, addresses, medical data like treatment data, provider names, prescription drugs, and medical insurance data.

J.D. Gilmour & Co., Inc. Email Account Breach

Insurance agency, J.D. Gilmour & Co., Inc. based in Glendale, CA , uncovered unauthorized access to its email environment on June 29, 2023. Independent cybersecurity professionals performed a forensic investigation of its email tenant, which affirmed the unauthorized access to one employee’s email account. The analysis of the email account confirmed on October 27, 2023 the breach of the PHI of 2,481 people. On December 21, 2023, J.D. Gilmour & Co. acquired the authorization to send notification letters by mail from the impacted client. The impacted people were provided Single Bureau Credit Score/Single Bureau Credit Monitoring/Single Bureau Credit Report/services for free.

United Regional Health Care System Hacking

United Regional Health Care System reported a data breach related to hacking to the HHS’ Office for Civil Rights. There were 36,900 patients affected. There is no announcement of a data breach on the web page of Wichita Falls according to the TX health system. However, the breach notice sent to the Texas Attorney General mentions that the breach happened on May 30, 2023, and involved names, dates of birth, medical data, and insurance details.