CorrectCare Integrated Health, a medical claims processor, lately informed its clients about the accidental exposure of the protected health information (PHI) of a number of their patients over the Internet, which unauthorized persons may have accessed. On July 6, 2022, CorrectCare identified two misconfigured file directories stored on its web server, which became accessible online without the need for authentication.
The data breach has impacted patients handled by Mediko, Inc., the biggest healthcare services provider catering to people in correctional facilities in Virginia. Mediko has submitted the breach report to the HHS’ Office for Civil Rights (OCR) indicating that 2,809 persons were affected. Sacramento County Adult Correctional Health reported that 5,372 persons were impacted. The Louisiana Department of Public Safety and Corrections states that 85,466 persons locked up in its state facilities were affected. Health Net Federal Services (HNFS) in California, which is a business associate of the California Department of Corrections and Rehabilitation (CDCR) / California Correctional Health Care Services (CCHCS), was also affected by the data breach, but it is still uncertain how many persons were impacted.
CorrectCare mentioned it was able to secure the web server within 9 hours of finding out about the misconfiguration. It was confirmed by the forensic investigation that files were compromised between January 22, 2022 and July 7, 2022. The breached information involved persons who got treatment from January 1, 2012 to July 7, 2022. The records in the compromised directories contained names, birth dates, inmate numbers, and some health data, such as CPT codes, diagnosis codes, treatment providers, treatment dates, and Social Security numbers of some individuals.
On October 31, 2022, CorrectCare filed three breach reports to OCR indicating the exposure of the PHI of 496,589 persons. There is no final breach total yet, but over 590,236 persons are currently confirmed to have been impacted.
Hacking Incident at Regions Hospital
Regions Hospital based in St. Paul, MN, has just reported that unauthorized persons acquired access to the PHI of 978 patients. It is believed that the attacker accessed its secured system to steal payments from a medical insurance company, instead of acquiring patient data.
Nevertheless, the access by unauthorized individuals also opened a document located on the network that comprised patient data, such as first and last names and Social Security numbers. Regions Hospital already notified the affected persons by mail and provided membership to an identity theft protection service for 12 months.