Cyberattack on the University of Michigan Health Service and School of Dentistry
The University of Michigan (UM) has recently reported that it encountered a cyberattack around the summer that allowed unauthorized access to the sensitive information of students, alumni, applicants, donors, contractors, employees, research study members, School of Dentistry, and University Health Service patients.
UM discovered suspicious activity inside its computer system on August 23, 2023, and took steps immediately to address the incident and stop continuing unauthorized access. Third-party cybersecurity professionals helped with the investigation and affirmed the access by an unauthorized third party to its system from August 23, 2023 to August 27, 2023.
UM conducted an assessment to determine the files that could have been viewed and the kinds of information affected. The compromised information differed from one person to another and could have contained the following data elements:
- Students, alumni, applicants, donors, contractors, and employees: Name, driver’s license number or any government-issued ID number, Social Security number, payment card number/financial account, and/or medical data.
- Research study members and School of Dentistry and University Health Service patients: Name, driver’s license number or government-issued ID number, Social Security number, payment card number/financial account, or medical insurance data, University Health Service and School of Dentistry clinical data, for instance, medical record number or diagnosis or treatment or prescription drugs record, and/or data associated with involvement in some research studies.
UM stated it is using the services of third-party cybersecurity professionals to strengthen its networks and better safeguard sensitive information. It mailed notification letters to the impacted persons on October 23, 2023 and offered them free credit monitoring services. The security incident is not yet posted on the HHS’ Office for Civil Rights breach portal, therefore it is presently not clear how many persons were impacted.
Westat & Radius Global Solutions Report Enormity of MOVEit Hacks
The professional services provider, Westat, Inc., based in Rockville, MD recently reported a MOVEit Transfer hack to the HHS’ Office for Civil Rights. The notification report indicated that the PHI of 50,065 persons were exposed, including names, birth dates, and Social Security numbers. The Clop hacking group took advantage of a zero-day vulnerability from May 28 to May 29, 2023, and extracted human resources records. Westat sent notification letters to impacted persons on July 21, 2023, and offered them credit monitoring services. Two of the affected clients were Cape Fear Valley Health in Fayetteville, NC, and Meadville Medical Center in Pennsylvania.
The accounts receivable, client relations, and revenue cycle management solution provider, Radius Global Solutions, based in Edina, MN, has informed the HHS about the compromise of the PHI of 135,742 people because of Clop hackers that took advantage of the MOVEit Transfer zero-day vulnerability. Radius learned that it was impacted on June 1, 2023, and stated the hackers took files that included names, birth dates, Social Security numbers, treatment areas, treatment codes, and treatment records. Free identity monitoring and protection services were provided to the impacted persons.
Radius submitted two notifications to the Maine Attorney General regarding the breach. The initial notification on September 1, 2023 stated that 632,204 people were impacted and a second notification submitted on September 15, 2023 indicated that 9,979 people were impacted.
Data Breach Reported by Peerstar
Mental health support services provider Peerstar LLC based in Pennsylvania stated 11,438 patients were informed concerning the compromise and possible theft of their protected health information (PHI). Peerstar detected suspicious activity on its system on March 7, 2023, and engaged third-party security specialists to look into the incident and evaluate the security of its network. It confirmed on May 17, 2023 that an unauthorized third party got access to its networks from February 22, 2023 to March 3, 2023, and exposing PHI. Peerstar mentioned it does not know of any actual or attempted patient data misuse.
The types of data compromised differed from one person to another and might have contained this information: first and last name, email address, address, telephone number, Social Security number, birth date, admission and discharge dates, mental or physical health status, treatment and diagnosis data, driver’s license number or any government-issued ID number, financial account number, debit or credit card number, digital signature, birth or marriage certificate, healthcare transaction data, and/or medical insurance data, including, application and claims record, and policy number or subscriber ID number.
Peerstar implemented additional cybersecurity measures, enhanced employee cybersecurity training, and improved cybersecurity guidelines, procedures, and protocols.
La Red Health Center Cyberattack
La Red Health Center located in Georgetown, DE submitted a data breach report to the HHS’ Office for Civil Rights indicating that at least 501 persons were affected. 501 is often utilized as a placeholder to satisfy breach reporting requirements whenever there is no confirmed total number of impacted persons yet.
La Red Health Center stated it detected suspicious activity inside its system on April 11, 2023. Third-party security professionals assisted the healthcare provider in confirming the unauthorized access to its system from March 27, 2023 to April 6, 2023. The compromised files were confirmed on August 21, 2023, and were reviewed to find out the persons impacted and to get updated contact details. The website breach notice didn’t mention what data was exposed in the attack.
Fredericksburg Foot & Ankle Center Data Breach in April 2023
Fredericksburg Foot & Ankle Center located in Fredericksburg, VA, has submitted a data breach report to the Maine Attorney General indicating that up to 14,912 persons were affected. In the breach notice posted on October 25, 2023, the healthcare company didn’t mention when it was first notified to a possible breach, however, it was discovered on September 5, 2023, that an unauthorized third party accessed the information on or around April 21, 2023.
The files contained patients’ PHI such as names, Social Security numbers, and other personal identifiers. Impacted persons were given free single bureau credit monitoring services and stated it would assess and change its procedures and internal controls to improve the security and confidentiality of personal data.