PHI Exposed Due to Hacking Incidents in 3 HIPAA-Regulated Entities

PHI of Approximately 69,000 Persons Compromised in Comstar Hacking Incident

Comstar based in Rowley, MA provides ambulance invoicing, collection, ePCR Hosting, and client/patient services. It found out that an unauthorized third-party acquired access to selected parts of its servers which kept files comprising personally identifiable information and protected health information (PHI) of individuals. A few of those files were affirmed to have been viewed.

The substitute breach notice did not mention when the breach happened, however, it was discovered on or about March 26, 2022. An evaluation of the affected files affirmed they included data such as names, dates of birth, Social Security numbers medical evaluation and medication details, and health insurance information. Comstar mentioned it already had rigid security protocols in place, an evaluation was performed of its policies and procedures associated with data security, and measures will be implemented to further safeguard against comparable occurrences later on. There was no evidence of information theft or misuse of information discovered; nevertheless, as a safety measure, Comstar offered complimentary credit monitoring and identity theft protection services.

The breach report was submitted to the HHS’ Office for Civil Rights indicating that 68,957 people were impacted.

DialAmerica Marketing Data Breach Affects About 20,000 People

The HIPAA business associate based in New Jersey, DialAmerica Marketing, which offers telemarketing solutions for nearly one-fourth of the top health plan companies in the U.S.A., has reported that it suffered a hacking incident that resulted in unauthorized access to its system on July 4, 2021. The forensic investigation of the data breach confirmed the network compromise from February 2, 2021 to July 9, 2021. Throughout that period of time, the PHI of people had been potentially accessed or stolen. The analysis of the impacted files was finished on February 4, 2022, and affirmed the potential compromise of names, addresses, and some (unspecified) information.

The breach report submitted to the HHS’ Office for Civil Rights indicated that 19,796 persons were affected.

Express Scripts’ Client Accounts Viewed by Unauthorized Third Party

Express Scripts, the pharmacy benefit management company, has reported that an unauthorized third party accessed the accounts of a number of customers. The breach notification sent to the Massachusetts Attorney General explained that a number of Express Scripts mobile app accounts had been viewed with no authorization using the right username and password.

The company noticed the suspicious activity on May 1, 2022, and determined that the account breaches happened from April 30 to May 3, 2022. Records in the accounts that were potentially accessed contained names, prescription medicine names, the names of pharmacies, prescription numbers, medicine dosage, and prescribing doctors’ names.

Upon discovery of the security breach, the company secured the impacted accounts and reset the passwords. Incidents like this are frequently caused by password spraying – using compromised usernames and passwords to gain access to completely not related accounts. These attacks become possible because of using passwords again on several platforms. Express Scripts has advised the impacted persons to alter their passwords on all their accounts that have similar passwords.

It is presently uncertain how many people were impacted.

About Christine Garcia 1192 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA