Cyberattacks Reported by Rite Aid, Wake Family Eye Care, Lancaster Orthopedic Group, and Maximus Inc

24,400 Rite Aid Customers Had Personal Information Compromised in May Cyberattack

Rite Aid has reported the theft of the protected health information (PHI) of about 24,400 of its clients during a cyberattack. The compromised files included names, dates of birth, addresses, prescription details, and limited insurance details. There was no Social Security number or financial data exposed or stolen during the attack. Rite Aid stated the attackers exploited a vulnerability to acquire access to sensitive information. A third-party vendor informed Rite Aid about the vulnerability and a patch is already employed to fix the vulnerability.

Rite Aid discovered the vulnerability on May 31, 2023, with the forensic investigation affirming the occurrence of data theft on May 26, 2023. Although Rite Aid didn’t say the vendor’s name, the timing of the cyberattack and the type of unauthorized access indicate this was done by the Clop threat group which performed large-scale attacks associated with a zero-day vulnerability in the MOVEIT Transfer file transfer solution of Progress Software.

Ransomware Attack on Wake Family Eye Care

Wake Family Eye Care based in Cary, NC lately suffered a ransomware attack. It detected the attack on June 2, 2023 after discovering the encryption of files. Systems were promptly singled out to avoid further unauthorized access and had the incident under control the same day. Investigation by a third-party forensics company determined the scope of the breach and although there’s no proof of data theft identified, it wasn’t possible to exclude the likelihood of data theft.

The analysis of files on the impacted section of the system showed they included names, addresses, birth dates, passport/driver’s license/other government-issued ID numbers, partial or complete Social Security Numbers, insurance numbers, optical photos, chart numbers, and associated eye reports. Financial data wasn’t exposed.

The eye care provider sent notification letters to the 14,264 persons possibly impacted by the incident.

Cyberattack on Catholic Charities of the Archdiocese of Newark

Catholic Charities of the Archdiocese of Newark has reported that unauthorized persons acquired access to part of its computer network. It discovered the breach on May 8, 2023, and third-party cybersecurity specialists investigated the incident to determine the nature and extent of the breach. As per the investigation, hackers got access to systems that PHI from April 30, 2023 to May 8, 2023. The attackers stole some files in the attack.

The stolen records contained individuals’ names, birth dates, Social Security numbers, driver’s license information, health data, and medical insurance details. The files are being reviewed to find out the number of persons impacted and notification letters will be mailed as soon as the review is finished. To beat the due date for data breach reporting, Catholic Charities of the Archdiocese of Newark notified HHS that at least 501 people were likely impacted. The actual number will be updated as soon as the investigation is done.

Lancaster Orthopedic Group Informs Patients Regarding March Cyberattack

Lancaster Orthopedic Group located in Manheim Township, PA, has identified unauthorized access of its system. It detected the breach on March 29, 2023, with the analysis of the impacted files affirming the potential compromise of names, addresses, birth dates, Social Security numbers, health treatment data, and insurance details. The breach report was submitted to the HHS’ Office for Civil Rights indicating that about 500 persons were impacted, though as many as 2,000 patients could have been impacted.

Ransomware Attack on Cheyenne Radiology Group & MRI in December 2022

Cheyenne Radiology Group & MRI, P.C. (CRG) located in Wyoming recently sent notification letters to its patients regarding a ransomware attack it detected and blocked on December 12, 2022. Based on the notification letters, the attack impaired part of its computer network, and although data theft wasn’t affirmed, the likelihood of data exfiltration cannot be excluded. Third-party forensics experts inspected the incident and affirmed the potential access to files that contained names, birth dates, mailing addresses, driver’s license numbers, Social Security numbers, and medical insurance data. CRG stated it deleted and rebuilt all impacted systems and has toughened security to avoid the same breaches later on. The incident report was lately submitted to the Maine Attorney General as impacting around 10,420 persons.

Up to 11 Million Health Records Exposed in Government Contractor Cyberattack

Government services contracting firm Maximus Inc. based in Reston, VA has reported in a Securities and Exchange Commission (SEC) filing the hacker’s exploitation of a zero-day vulnerability in the MOVEit Transfer solution of Progress Software in May 2023. The hackers accessed the PHI of 8 to 11 million people. The Clop ransomware group was behind the attack and Maximus along with hundreds of organizations was impacted by the Clop group’s mass attack.

According to the filing, Maximus employed MOVEit Transfer for sharing files internally and externally, including sharing files with government clients that take part in different federal programs. After being informed of the vulnerability and data breach by Progress Software, Maximus started a forensic investigation and analysis of the impacted files. During that process, Maximus affirmed that the affected files included PHI. Maximus mentioned it could not confirm the exact number of people that were impacted until the analysis is concluded, and that it expects that the process is going to take a few more weeks.

Maximus has informed the impacted clients and will give notification to all impacted persons when the analysis ends. Impacted persons will be provided free two-year credit monitoring and identity theft protection services. Maximus has documented this quarter to June 30, 2023 a total expenditure of $15 million in relation to the data security incident.

The Department of Health and Human Services Centers for Medicare and Medicaid Services (CMS) has affirmed that the PHI of around 612,000 present Medicare recipients had been breached in this incident and as many as 645,000 people in total. The CMS stated that together with Maximus, they are providing notification to the impacted persons. The CMS stated the stolen information consists of names, birth dates, mailing addresses, email addresses, phone numbers, Medicare beneficiary numbers, Social Security numbers/taxpayer ID numbers, driver’s license numbers, state ID numbers, medical insurance details, claims data, health benefits and enrollment data, and medical backgrounds, which consist of notes, health records/account numbers, illnesses, diagnoses, photos, dates of service and
treatment data.

 

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone