United Health Centers of San Joaquin Valley and Lee County Emergency Medical Services Affected by PHI Breach

In August 2021, the Vice Society ransomware operation posted stolen information on its data leak website that was purportedly acquired during a cyberattack on United Health Centers of San Joaquin Valley. Bleeping Computer discovered the data leak on August 31, 2021 and tried to notify United Health Centers several times. Databreaches.net likewise knew about the data breach and in the same way, tried to alert United Health Centers several times.

More or less one year on, United Health Centers had informed the people whose protected health information (PHI) was compromised or stolen in the attack. The breach notification sent to the California Attorney General last August 12, 2022 stated that United Health Centers encountered technical problems on August 28, 2021, which triggered the disruption to its computer network. The company took immediate steps to protect its systems and launched an investigation to find out the reason for the incident.

United Health Centers stated it found out on September 22, 2021 that the attacker exfiltrated patient information from its network. It engaged third-party experts to determine the extent of the data breach. According to the investigation results, data was exfiltrated from August 24, 2021 to August 28, 2021. A detailed analysis of the compromised information was finished on April 11, 2022. United Health Centers stated that it then worked promptly to deliver notification letters to those individuals whose data was included in the compromised documents.

The documents included names, health record numbers, and Social Security numbers. Impacted persons were provided a 12-months free membership to identity theft restoration and credit monitoring service by Experian. It is presently uncertain precisely how many individuals were impacted.

Lee County Emergency Medical Services Informs Patients Affected by Third-Party Data Breach

Lee County Emergency Medical Services just began informing a number of patients regarding a data breach on its business associate Intermedix Corporation. The two companies had worked together for about 15 years prior to terminating their contract in September 2014. Intermedix Corporation had provided certain patient data to the law company, Smith, Gambrell & Russell (SGR).

Lee County Emergency Medical Services stated in a breach notification posted on its website on August 11, 2022 that it received a notification on August 4, 2022 about a data breach that occurred at the law company. SGR stated it found out on August 9, 2021 that an unauthorized individual exfiltrated files containing its clients’ sensitive data from its systems. A vendor was employed to help investigate and find out the extent of the breach.

The analysis of the files was finished on May 17, 2022. SGR mentioned the breached data involved names, addresses, driver’s license numbers, Social Security numbers, government IDs, and medical data, for instance, medical background, treatment, and diagnosis. SGR reported it took the necessary steps to strengthen security and has provided the affected patients with free credit monitoring services.

Lee County Emergency Medical Services stated it was informed of the breach on August 4, 2022, and since then it is working directly with Intermedix Corporation to determine the impacted persons. Notification letters are going to be sent to impacted persons in 14 – 21 days. The breach is not yet posted on the HHS’ Office for Civil Rights Breach website, hence it is uncertain how many persons were impacted. Lee County Emergency Medical Services reported approximately 2% of the files provided to SGR had been exposed.