Cyberattacks and Data Breaches Reported by Navvis & Company and Other Healthcare Providers

462,000 Hawaiians Impacted by the Navvis & Company Data Breach

Around 462,000 people who signed up for health plans with the Hawaii Medical Service Association (HMSA) were impacted by a data breach that occurred at a business services provider — Navvis & Company based in St. Louis, MO. Navvis & Company noticed unauthorized activity inside its systems on July 25, 2023. The forensic investigation reported the confirmed unauthorized third-party access to its systems between July 12, 2023 to July 25, 2023, and extracted sensitive data.

Navvis & Company sent notification letters by mail to the impacted health plan members last month. The data compromised in the incident included names, birth dates, health plan data, medical treatment data, case identification numbers, provider and physician details, patient account numbers, medical record numbers, and health record data. The impacted persons were provided with credit monitoring and identity theft protection services for free.

Navvis & Company submitted a breach report to OCR indicating that 917 individuals were affected. The impacted clients, such as SSM Health, mainly chose to submit the breach report themselves. Because of this, the total number of people impacted is unknown.

Atlanta Women’s Health Group Alerts 30,000 Patients Concerning Cyberattack in April 2023

Atlanta Women’s Health Group has informed around 30,000 patients about the theft of their PHI in a cyberattack that was discovered on April 12, 2023. Third-party cybersecurity professionals were involved to look into the scope of the breach and a considerable data mining activity was done to find out the people impacted and the types of data affected.

Atlanta Women’s Health Group stated that for most of patients, the compromised information was restricted to names, birth dates, patient ID numbers, and other data that could be included in medical records. It is unknown exactly which types of data were viewed or obtained. The evaluation was time-consuming and so the sending of notification letters was delayed. After the attack, Atlanta Women’s Health Group, together with outside security consultants, implemented extra cybersecurity measures to stop more attacks. Although data theft happened, Atlanta Women’s Health Group stated it does not know of any patient data misuse.

PHI Exposure at Coastal Hospice & Palliative Care in July Cyberattack

Coastal Hospice & Palliative Care based in Salisbury, MD, has reported that the PHI of 29,100 people was possibly exposed in a cyberattack in July 2023. The attack was discovered on July 24, 2023, when its system was interrupted. Cybersecurity professionals were involved to look into the incident and help with the restoration process.

The analysis of the files on the impacted section of the system was finished on November 20, 2023, and stated that the following data were exposed and was possibly acquired by the attackers: name, birth date, medical diagnosis data, Social Security number, individual health insurance policy number, doctor or medical facility data, medical problem or treatment data and patient account number. Coastal Hospice & Palliative Care stated the incident report was submitted to the Federal Bureau of Investigation. The FBI took steps to enhance security to stop identical incidents later on.

Azura Vascular Care Reports Data Breach Affecting 348,000 Patients

Azura Vascular Care in Pennsylvania operates 70 outpatient vascular centers and ambulatory surgery centers located in 25 states and Puerto Rico. In January, Azura Vascular Care advised the HHS’ Office for Civil Rights about a cybersecurity attack that affected the PHI of 348,000 individuals.

Azura Vascular Care discovered the incident on November 9, 2023. Cybersecurity professionals assisted with the investigation, which affirmed access to some systems by unauthorized persons and file encryption on or before September 27, 2023. It was confirmed on November 15, 2023 that a number of the files accessed by the hackers included patient information like names, birth dates, mailing addresses, and other demographic and contact details, like emergency contact details, Social Security numbers, insurance data, diagnosis and treatment data, and other medical or billing records details.

Some guarantor data was likewise compromised, such as names, mailing addresses, email addresses, phone numbers, birth dates, and Social Security Numbers. Azura Vascular Care stated people who had sensitive data compromised like Social Security numbers were provided free credit monitoring, identity protection, and fraud resolution services.

Cyberattack on Covenant Care California

Covenant Care California, LLC, which manages home health agencies and skilled nursing facilities all across Nevada and California, has affirmed the unauthorized access to files that contain the personal data and PHI of patients and other people. The cyberattack was discovered on November 14, 2023, and although the investigation is in progress, it was confirmed that files were extracted from its system from November 12 to November 14.

The incident impacted present and past patients, potential patient referrals, and responsible parties of patients who got services from a center or agency managed by Covenant Care, such as rehabilitation services given through a firm known as AFFIRMA and home health services given under the names Elevate Home Health, Focus Health, San Diego Home Health, and Choice Home Health Care.

The listing of impacted persons is not yet finished, however, Covenant Care California has affirmed that the incident compromised the following data: name, birth date, medical data, and/or medical insurance data, such as diagnosis or treatment details and/or claims and billing data. For several patients, the data may contain financial account or debit/credit card numbers, Social Security numbers, state/federal ID numbers or driver’s licenses, and/or other personal data.

The breach report was submitted to the HHS’ Office for Civil Rights with a temporary figure of 501 individuals affected, which will be modified as soon as the investigation finishes. Impacted persons are being provided with credit monitoring and identity theft restoration services for free.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at