The health plan provider Priority Health based in Michigan has reported that it was affected by a data breach that occurred at a business associate, the law agency Warner Norcross & Judd (WNJ).
Steps were promptly done to avoid further unauthorized access upon discovery of suspicious network activity by WNJ on October 22, 2021. A digital forensics company assisted with the investigation and confirmed that attackers had acquired access to areas of its system that held the protected health information (PHI) of roughly 120,000 members of Priority Health’s health plans.
The breached records included names, pharmacy claim details from selected prescriptions filled in 2012, such as drug names, prescription filling dates, and insurance firm names. WNJ stated it did not find any evidence of misuse of plan members’ information, however, the probability of data theft can’t be excluded.
WNJ mentioned Priority Health was informed about the security breach n June 6, 2022 – Nearly 8 months after the discovery of the security incident.
PHI Exposed Due to Attempted BEC Attack on Living Innovations
Living Innovations, a service provider to individuals with disabilities, has reported that unauthorized people obtained access to the email accounts of a number of employees between June 6 and June 14, 2022, after responding to phishing emails. The email security breach was noticed on June 7, 2022, upon discovery of suspicious email account activity.
The attack seems to have been performed to try to reroute invoice payment to an account controlled by the attacker, rather than to access patient data; nevertheless, unauthorized access to patient files cannot be eliminated. An analysis of the impacted email accounts revealed they contained patient details such as names, client health insurance data, Medicaid data, Social Security numbers, and limited information associated with services gotten at Living Innovations.
Living Innovations stated it didn’t uncover any proof of misuse or theft of patient data; nonetheless, as a safety measure, affected persons were provided complimentary credit monitoring and identity theft protection support. More training was given to staff members about how to detect and steer clear of phishing emails.
The breach report was submitted to the HHS’ Office for Civil Rights indicating that around 4,000 individuals were impacted.
2,000 Florida Springs Surgery Center Patients Impacted by Phishing Attack on Microsoft 365 Account
On June 2, 2022, Florida Springs Surgery Center discovered a breach of its Microsoft 365 email system. The investigation confirmed that an unauthorized person gained access to a staff member’s account from May 25, 2022 to June 2, 2022.
The breach happened after a staff member responded to a phishing email that imitated a respected entity. The analysis of the email system affirmed that the breach only affected the staff member’s account; nevertheless, that account included the PHI of 2,203 persons. The types of data differed from one person to another and might have involved names, addresses, dates of birth, state ID/driver’s license numbers, Social Security numbers, financial account details, health and/or treatment data, diagnosis or procedure data, prescription drugs, medical insurance details, and payment and claims data.
Florida Springs Surgery Center has already taken steps to enhance its email security, which includes implementing multi-factor authentication on all email accounts. Free credit monitoring and identity restoration services were provided to persons whose state ID/driver’s license number, Social Security number, or financial account data were compromised.