Keystone Health and Lifespire Services Patients Impacted by Data Breaches

Keystone Health based in Chambersburg, PA lately reported that it encountered a cyberattack last August 19, 2022, which resulted in a temporary interruption to its computer networks. Steps had been promptly undertaken to reestablish the security of its programs and stop continuing unauthorized access. A third-party cybersecurity company investigated the breach to find out how the attackers acquired access to its networks and the extent of the data breach.

The forensic investigation showed that the attackers first acquired access to its networks on July 28, 2022. Their network access was blocked on August 19. The attackers were able to access files that included the following patients’ protected health information (PHI): names, clinical data, and Social Security numbers. A complete analysis of those files showed they comprised the data of 235,237 individuals.

Keystone Health notified law enforcement concerning the cyberattack and notified all impacted persons through the mail. Eligible patients received offers of free credit monitoring services. Keystone Health mentioned it is implementing extra security procedures to stop more occurrences of this type, and workers were given further security awareness training.

Lifespire Services Gives Latest News on February 2022 Cyberattack

Lifespire Services based in New York, a company offering services to individuals with developmental handicaps, has given the latest news about a security incident that was initially reported in April 2022. The reported incident was discovered on February 8, 2022, which disrupted its computer systems. A digital forensics firm helped Lifespire to confirm that unauthorized persons accessed its systems from January 14, 2022 to February 8, 2022, and may have viewed patient data at that time.

The extensive analysis that was done on all files in the affected areas of its system was completed on October 7, 2022. Lifespire affirmed that the PHI of 15,375 individuals was exposed. The exposed PHI included names, addresses, birth dates, Social Security numbers, passport numbers, driver’s license numbers, bank account details, credit card data, medical diagnosis/treatment details, Medicaid/Medicare numbers, and medical insurance data.

Lifespire stated it did not know of any cases of patient data misuse. Nevertheless, it offered the impacted persons free membership to credit monitoring and identity protection services. Because of the data breach, the company’s guidelines and procedures associated with network security were also updated.

Lifespire took several weeks or months to investigate the data breaches and analyze impacted files. Notifications about the attack had been issued to patients in April, even if the analysis of files is not yet completed. The HIPAA Breach Notification Rule requires the immediate issuance of notification and it is helpful for patients to know about the incident so they can take the necessary steps to safeguard themselves against improper use of their data. A lot of healthcare companies delay the announcement of the breach until the review of files is done. That could take a few months after and patient data may have already been stolen.