Southern Orthopaedic Associates and Eduro Healthcare Report Hacking Incidents

Southern Orthopaedic Associates (SOA) based in Paducah, KY has started sending notification letters to 106,910 patients regarding a breach that affected their protected health information (PHI).

SOA noticed unauthorized activity in the email account of an employee on or around July 8, 2021. The healthcare provider immediately took steps to secure the account. An investigation was begun to know the nature and magnitude of the breach. With the help of a third-party computer forensics agency, SOA learned that a number of employee email accounts were compromised from June 24, 2021, to July 8, 2021; nevertheless, it cannot tell which, if any, email messages in the account were seen.

A thorough analysis was performed of all emails and file attachments in the breached accounts to find out whether or not they include any protected health information. The evaluation was finished on October 21, 2021, and affirmed that the accounts comprised patient names plus Social Security numbers.

SOA sent notification letters to the affected people starting on December 12, 2021. Complimentary one-year membership to credit monitoring services through Experian has been offered. Additional safeguards to enhance email security had been implemented. The workforce was given further security awareness training.

Eduro Healthcare Data Breach Impacts More Than 8,000 Patients

Eduro Healthcare in Salt Lake City, UT has informed 8,059 patients concerning a potential compromise of their PHI. In March 2021, the healthcare provider detected suspicious activity in its network and took immediate action to limit the security breach. The healthcare organization enforced its incident response plan which permitted it to easily bring back access to its system.

Eduro Healthcare stated the quick action taken in response to the breach was considered to have averted unauthorized persons from accessing and exfiltrating patient files; nonetheless, on August 24, 2021, Eduro Healthcare found out that certain patient data were exfiltrated and published on a dark web data leak site.

Then started a painstaking process of finding the people impacted and the types of information that was compromised. That process was finished on October 21, 2021. The exposed information included first and last names, dates of birth, provider name, date(s) of service, treatment data, health insurance information, and Social Security numbers.

Affected persons have been provided 12 months of free credit monitoring and identity restoration services with IDX and will be covered by a $1,000,000 identity theft insurance plan. Eduro Healthcare has put in place more security controls, performed a total audit of all accounts, strengthened password protocols, reconfigured its firewall, used multi-factor authentication on email accounts, and updated its system security practices and procedures.