Data Breaches Reported by CentraState Healthcare System, Skin MD, California Department of Social Services, and MKS Instruments

Hacking and Data Theft Incident at CentraState Healthcare System

CentraState Healthcare System based in Freehold Township, NJ has just reported that unauthorized individuals breached its network. On December 29, 2022, the healthcare provider detected unusual activity inside its computer systems. It immediately took action to secure the network and prohibit unauthorized entry. CentraState together with the Federal Bureau of Investigation (FBI) and third-party cybersecurity specialists are looking into the breach. It was confirmed that an unauthorized party extracted a copy of a stored database that included patients’ protected health information (PHI).

The database contained these data: names, addresses, birth dates, medical insurance data, patient account numbers, medical record numbers, and Social Security numbers. In addition, a few data associated with care gotten at CentraState, for example, date(s) of service, doctor names and department, treatment options, diagnoses, consultation notes, and prescription details. CentraState stated it regularly improves the protection of its electronic systems and is doing so, and will likewise apply extra safety measures to avoid upcoming attacks. It started sending notification letters to impacted persons on February 10, 2023, and offered free credit monitoring and identity theft protection services to those who had their Social Security number exposed.

CentraState has submitted the incident report to the HHS’ Office for Civil Rights however the incident is not yet showing on the HHS Web Breach Website. Therefore, the number of individuals affected is still uncertain but reported that approximately 671,000 CentraState Medical Center patients were affected by the breach.

Paper Records of Skin MD Temporarily Exposed

Skin MD based in Massachusetts offers cosmetic and laser skin care solutions to its clients. It just submitted a data breach report to the HHS’ Office for Civil Rights indicating that 7,558 patients were affected. The breached paper records were stored in a protected, off-site storage center. On November 12, 2022, Skin MD discovered that the paper records were discarded in a non-secure way.

Skin MD stated someone informed the authorities concerning the inappropriate disposal of the documents on November 14, 2022. A law enforcement agent picked up the records, which Skin MD later collected and secured. The documents were unsecured for 2 days, which could have been viewed by unauthorized persons. But no proof of theft, tampering or unauthorized access was found.

The records included demographic data, medical data, Social Security numbers, and financial details. Skin MD is currently notifying the impacted persons and offering them free credit monitoring and identity theft protection services for 24 months.

1,600 Patients Affected by Phishing Attack on Vitra Health

Home health service provider Vitra Health based in Braintree, MA has informed 1,618 patients about the exposure and potential theft of some of their PHI. On December 8, 2022, Vitra Health found out that an unauthorized person had accessed an employee’s email account. The investigation confirmed that the attacker acquired access to the account after getting clicks on a phishing email. Prompt action to secure the account was taken, and so only one email account was breached.

A third-party analysis of the account affirmed it included data like names, addresses, birth dates, telephone numbers, referral data, Health Plan ID numbers, and diagnoses. Vitra Health has put in place more email security solutions, given additional employee training, and hired a third-party company to perform a HIPAA Risk evaluation.

Insider Breach at California Department of Social Services

The California Department of Social Services (CDSS) has just sent notifications to selected persons regarding an insider breach incident that affected their Social Security numbers. The CDSS discovered on January 6, 2023 that an employee emailed a document containing the first and last names of individuals, bargaining unit numbers, and Social Security numbers to a personal email account. The employee involved was contacted right away and instructed to delete the email message. The employee did just as requested.

The CDSS stated it is working on employing extra security controls to avoid the same incidents later on. There was no reason given that explains why the employee emailed the document, nor details regarding the sanctions associated with the incident. It is presently unknown how many persons were impacted.

Ransomware Attack on MKS Instruments

MKS Instruments based in Andover, MA produces measuring and control devices. It reported recently that it suffered a ransomware attack. As per the breach notification letters sent on February 16, 2023, the parent firm of MKS along with the Atotech group of companies detected the attack on February 13, 2023, which is three days prior to sending the notifications.

The notification letter submitted to the Attorneys General in California and Montana details that fast action done to control the attack and that the incident is currently under investigation. MKS stated that the attack impacted a number of business systems, like the production-associated systems, which obligated a momentary shutdown of selected operations. It is still working on restoring systems as fast as it can since it is more secure.

MKS stated that it is presently not aware of any known risks or threats to each data subject, however, data theft can’t be excluded. The types of data possibly stolen were names, contact details, addresses, work sign-in credentials/passwords, marital status, government ID numbers (including SSNs), veteran status, nationality, immigration condition, race, gender, sexual orientation, bank account details, payment card data, data regarding compensation status and equity, job placements, time/hours previously worked, data concerning handicaps, health and medical issues, employer union data, medical insurance details, and basic data about spouses, children, and emergency contact details. Impacted persons received offers of free identity theft monitoring and protection services for 24 months.

As of this time, the number of individuals affected is still unclear.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at