PHI Likely Compromised in Hacking Incidents at Three Healthcare Organizations

Hacker Gains Access to Server of New York Psychotherapy and Counseling Center

New York Psychotherapy and Counseling Center (NYPCC), which is a non-profit provider of mental health services, has reported a cyberattack that was detected in September 11, 2021.

The provider immediately took steps to protect its systems and stop more unauthorized access. It engaged a third-party cybersecurity company to carry out a forensic investigation to find out the nature and extent of the incident. NYPCC stated there was no breach of its electronic medical record system; nonetheless, it is believed that the attacker had accessed certain files on its server that included the protected health information (PHI) of patients.

An analysis of the files found on the server showed the potential compromise of these data: names, addresses, birth dates, dates of service, and Medicaid IDs. NYPCC mentioned it is determined to constantly review and update its security practices associated with the PHI of patients.

Impacted persons received notifications by mail and offers of free credit monitoring, identity monitoring, and other similar services to secure their data against any misuse.

NYPCC has reported the incident to the HHS’ Office for Civil Rights, however, there is no information yet on the OCR breach website, consequently, it is presently uncertain how many people were impacted.

Prairie Lakes Healthcare System Hacked

Prairie Lakes Healthcare System based in Watertown, S.D. has uncovered that an unauthorized person has acquired access to some of its IT systems.

The healthcare system discovered the incident on October 6, 2021, when parts of its network had encountered disruption. Quick action was undertaken to isolate the affected systems and stop more unauthorized access. A third-party cybersecurity company investigated the occurrence and helped with remediation efforts.

Prairie Lakes Healthcare explained all the impacted systems were already in operation; nonetheless, the security breach investigation is still in progress. At this point of the investigation, there is no proof of unauthorized access or patient data exfiltration. In case patient information is considered to have been breached, the company will send notification letters to the affected persons.

Unauthorized Network Access of the Urology Center of Colorado

The Urology Center of Colorado (TUCC) has found out that an unauthorized individual gained access to parts of its computer system. The security breach was discovered and blocked on September 8, 2021. An inquiry into the breach confirmed that the attack started the preceding day.

The compromised sections of its network were examined to know whether any patient information might have been accessed. TUCC said the assessment identified the exposure of the following types of protected health information: name, Social Security number, date of birth, address, email address, phone number, medical record number, diagnosis, treating physician, insurance company, treatment fee, and/or guarantor name.

TUCC stated it altered account passwords to stop further unauthorized access and it considered supplemental security steps to avoid further data breaches. As a safety precaution, TUCC is providing complimentary credit monitoring and identity protection services to impacted people.

TUCC already reported the incident to the HHS’ Office for Civil Rights, however, it has not appeared yet on the breach portal of OCR, consequently, it is currently uncertain how many individuals have been impacted.