PHI Compromised in Redwood Coast Regional Center Cyberattack
Social services organization Redwood Coast Regional Center based in Ukiah, CA offers services and assistance to children and adults who have developmental handicaps. It recently submitted a data breach report to the HHS’ Office for Civil Rights indicating that a minimum of 500 people were affected. 500 is a placeholder typically applied when submitting a data breach report to OCR to satisfy the 60-day requirement of the HIPAA Breach Notification Rule if the total number of impacted persons is still unknown.
The strange activity was noticed inside its computer system on March 6, 2024. Third-party cybersecurity experts investigated the incident and confirmed the unauthorized access to its system, which included files with patient information. The types of information viewed or stolen in the attack differed from person to person and might have contained names along with at least one of these data: address, telephone number, email address, birth date, driver’s license/state ID number, Social Security Number, financial account data, treatment/diagnosis details, prescription data, name of provider, medical record/case number, Medicaid/Medicare ID number, medical insurance data, and/or treatment cost details.
The investigation is still in progress and breach notification letters will be sent by mail to the impacted people when the investigation is over. Free credit monitoring and identity theft protection services were provided to the impacted people and cybersecurity experts have assisted with the application of extra security measures to stop the same incidents later.
New Jersey Dermatology Practice Encounters 380,000-Record Data Breach
Affiliated Dermatologists and Dermatologic Surgeons (ADDS) based in Morristown, NJ has reported a serious patient data breach. On March 5, 2024, ADDS discovered a ransom note on its system that mentioned its system breach and data theft. ADDS informed its third-party IT service provider and had cybersecurity professionals to look at and confirm the threat actor’s statements and established that there was unauthorized access to the system from March 2, 2024 to March 5, 2024. The proof was likewise discovered verifying the extraction of files from its system.
An analysis was done to know the scope of the breach. On April 10, 2024, it was established that the attacker got access to the personal data of patients and workers. The breach report was recently submitted to the HHS’ Office for Rights as affecting the protected health information (PHI) of around 380,000 individuals. The types of data affected differed from person to person. Patient data potentially exposed in the cyberattack includes names, birth dates, mailing addresses, Social Security numbers, medical insurance claims details, and medical treatment data. Compromised employee information includes names, birth dates, Social Security numbers, mailing addresses, driver’s license numbers, and passport numbers.
The impacted people are currently being informed by mail. The breach notification letters mention the actual types of data that were exposed for every person. A lot of healthcare companies only give free credit monitoring and identity theft protection services to those who had their Social Security numbers and/or financial data compromised; but ADDS has provided the services to all impacted persons. ADDS stated that during issuing the issuance of notification letters, it does not know of any misuse of the breached information.
ADDS explained it has undertaken a number of steps to enhance security to avoid the same incidents later, which include reseting all account passwords on the system, and using multi-factor authentication for all remote access and round the clock system security monitoring.
895,000 Singing River Health System Patients Impacted by a Ransomware Attack in August 2023
In August 2023, Singing River Health System based in Mississippi encountered a Rhysida ransomware attack which was at first reported to the HHS’ Office for Civil Rights as impacting 501 people, as the number of impacted persons is not yet confirmed. In December 2023, the total was changed to 252,890 persons. Still, the data breach turned out to be a lot worse than earlier thought. In a new report to the Maine Attorney General, Singing River Health System modified the number of victims to 895,204 people.