Data Breaches Reported by The Hutchinson Clinic, 90 Degree Benefits and 5 Other Healthcare Providers

Hacking Incident at The Hutchinson Clinic in December 2022

The healthcare company The Hutchinson Clinic based in Hutchinson, KS lately reported that hackers gained access to its system from December 19, 2022 to December 22, 2022. At the time of access, the hackers potentially accessed and stole files that contain patient information. Based on the data breach notice posted on the clinic’s website, the affected data involved names, contact details, dates of birth, driver’s license numbers, Social Security numbers, medical insurance data, medical record numbers (MRN), medical backgrounds, diagnoses, treatment data, and names of doctors.

The Hutchinson Clinic is now reviewing the compromised files and will send notifications to impacted persons upon completion of that process. According to The Hutchinson Clinic, it has reviewed its guidelines and procedures and will be applying more technical and administrative safety measures to better protect its systems and avoid other incidents of similar nature.

The incident is not yet posted on the HHS’ Office for Civil Right breach portal, therefore the number of affected patients is uncertain at this time.

Hacking Incident at 90 Degree Benefits Affected 175,000 Persons

On February 8, 2023, the employee benefits firm, 90 Degree Benefits Inc. based in Wisconsin, submitted a data breach report to the HHS’ Office for Civil Rights indicating that the protected health information (PHI) of 175,000 persons was affected. There is presently no data breach notice posted on the website of 90 Degree Benefits. The only information circulating about the incident is that it was a hacking/IT incident affecting a network server.

This is the second time the firm reported a large-scale data breach. The first report was on June 6, 2022. The breach report submitted by 90 Degree Benefits to the HHS’ Office for Civil Rights indicated that 172,450 people were affected. The company discovered the breach on February 27, 2022 and it was confirmed by a forensic investigation that hackers got access to its system from February 24 to February 27, 2022. The information potentially stolen by the hackers includes names, Social Security numbers, and addresses.

Health Plan Data Breach at Bridgewater-Raritan Regional School District

Bridgewater-Raritan Regional School District lately reported that hackers acquired access to its computer system last December 2022 and possibly viewed or stole the data of workers who were registered in its Health Benefit Plan. It was discovered on December 12, 2022 that there were suspicious activity inside its network. A third-party cybersecurity agency helped to investigate the incident. It was confirmed that unauthorized individuals accessed its systems from December 10 to December 12. In that period of time, the attackers potentially accessed files that contain names, enrolment selection data, and Social Security numbers. Impacted workers received notifications on January 27, 2023, and received offers of free identity theft monitoring service memberships.

The breach report submitted to the HHS’ Office for Civil Rights indicated that up to 3,909 persons were affected.

Hacking Incident at Evergreen Treatment Services Impacts 21K Patients

Evergreen Treatment Services based in Washington provides addiction treatment services. It reported on February 13, 2023 that unauthorized persons acquired access to its IT systems and possibly viewed patient data, such as names, addresses, dates of birth, Social Security numbers, and treatment data.

A third-party cybersecurity company helped investigate the incident but did not find any cases of fraud or identity theft; nevertheless, as a safety measure, the 21,325 impacted patients were provided free credit monitoring and identity theft protection services. There was no mention in the Evergreen Treatment Services breach notice when it discovered the incident, how much time the attackers got access to its system or any data concerning the nature of the cyberattack. The provider already enhanced its data security guidelines as a response to the breach to stop the same incidents later on.

Cyberattack on Texas Orthopaedics and Sports Medicine and Data Theft

Texas Orthopaedics and Sports Medicine (TOSM) based in Tomball, TX has reported that an unauthorized third party accessed its network and extracted files that contain names, medical data and driver’s license numbers. TOSM discovered the attack on November 28, 2022 upon identifying suspicious activity within its system. The forensic investigation showed the attackers accessed the network from November 22 to November 29. TOSM mentioned it discovered the compromise of patient data on February 10, 2023, and sent notifications to the 1,023 impacted people on February 23. TOSM stated it took steps to strengthen security and provided additional training to employees. Impacted persons received offers of credit monitoring services for one year.

Patient Data of Sentara Healthcare Exposed On the Internet

Not-for-profit healthcare company, Sentara Healthcare based in Norfolk, VA, provides patient care in Virginia and northeastern North Carolina. It lately advised 741 patients about the exposure of some of their PHI on the internet. Sentara Healthcare was informed regarding the exposed information by an anonymous person who happened to find a PDF file on the web while looking for data on converting PDF files to another file format. A person had published a Medicare remittance file to an Adobe Acrobat web page that included the information of patients of Sentara Healthcare.

Sentara Healthcare stated that the PDF file, which was uploaded on October 17, 2022 was still accessible on the web. The name of the person who published the file is unknown, but Sentara Healthcare mentioned that he/she was a staff of Coronis Health, which is its business associate offering billing-related services for laboratories. Sentara Healthcare notified Coronis Health regarding the compromised information on December 19, 2022, and removed the file on December 20. Coronis Health offered additional training to its team of employees to address the blunder. The file included names of patients, dates of service, Medicare ID numbers, location of service, CPT codes, the last 4 numbers of account numbers, and outstanding amounts. Affected individuals received offers of credit monitoring services.

Email Account Breach at Compass Behavioral Health

On February 28, 2023, Compass Behavioral Health based in Garden City, KS informed 537 patients with regards to a security breach that resulted in the exposure of some of their personal data and PHI. On or about December 13, 2022, Compass found out that the email account and linked OneDrive account of an employee had been breached. It was confirmed by the forensic investigation that the account included a spreadsheet with a list of case reports kept by Compass for documenting breaches of procedure, accidents, injuries, and uncommon incidences. The spreadsheet contained data such as names, birth dates, dates of death, addresses, treatment locations, medical record numbers, data associated with medical occurrences, limited medical data, and prescription drug details. In response to the breach, Compass changed credentials and implemented multi-factor authentication. There were no reports received of attempted or actual misuse of the compromised data.


About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at