PHI of Patients Potentially Compromised Due to Data Breaches at Andrews Braces and EVERSANA

The orthodontics practice Andrews Braces based in Sparks, NV has encountered a ransomware attack that resulted in patient data encryption. Andrews Braces discovered the attack on February 14, 2020 and the following investigation revealed that the ransomware was downloaded the preceding day.

Andrews Braces engaged a third-party forensic investigator to evaluate the extent of the attack and find out if there was access or exfiltration of patient data before encryption. Although it’s not unusual that ransomware attacks also involve data stealing, the investigators didn’t find any evidence that indicates the attackers accessed data. This attack seemed to be automated with the only purpose of encrypting data to demand ransom money from the provider.

Because the practice had regularly backed up all their patient data and had the backups stored carefully, it did not make any ransom payment and it restored the encrypted files by itself. There is no suspected data theft, yet the possibility can not be eliminated, and so Andrews Braces sent notification letters to all impacted patients. The attacker could have accessed the following types of data: names, addresses, birth dates, email addresses, Social Security numbers, and health data.

Andrews Braces has already implemented more security measures to improve security and prevent other attacks later on.

Data Breach at EVERSANA

EVERSANA is an independent global services provider in the life sciences sector. It discovered that an unauthorized person obtained access to some of its employees’ email accounts in 2019.

EVERSANA received notification about strange activity in the accounts of its employees and confirmed that an unauthorized person had accessed the accounts by using a legacy technology environment. According to the investigation, the compromise of accounts occurred from April 1 to July 3, 2019.

The information in the accounts included those from a few patient services programs. The investigators found no evidence of unauthorized data access. However, the attacker(s) could have accessed the sensitive data of some patients. A comprehensive analysis of the compromised accounts ended in February and it confirmed the potential compromise of the following data elements: names, addresses, driver’s license numbers, Social Security numbers, state identification numbers, tax identification numbers, passport numbers, debit/credit card details, financial account data, usernames and passwords, health data, treatment details, diagnoses, provider names, Medicare/Medicaid numbers, MRN/patient ID numbers, medical insurance data, treatment cost data, and/or prescription details.

EVERSANA upgraded its legacy technology environment and further enforced safety measures to bolster security. The impacted people already received notification letters and free credit monitoring and identity restoration services for 12 months.

The HHS’ Office for Civil Rights website has not published the information of the data breach yet, so the number of affected individuals is still uncertain at this time.