Manchester Ophthalmology in Connecticut encountered a cyberattack that made it possible for attackers to get access to patient information. Employees of the eyecare provider spotted strange activity on its systems, which led to the discovery of the cyberattack on November 25, 2019. A third-party technology firm assisted in the investigation of the incident and determined later that day that hackers accessed the system and attempted to deploy ransomware. From November 22 to November 25, 2019, the hackers acquired network access, but Manchester Ophthalmology terminated remote access without delay and averted data encryption.
Manchester Ophthalmology did not receive any information that would indicate the access or download of patient data by attackers, nevertheless, the investigators affirmed that certain patient information had no backup making it impossible to retrieve. The following types of data were lost: patient names, information regarding the care gotten by Manchester Ophthalmology patients and medical histories.
Patients were directed to be vigilant and keep an eye on their explanation of benefits statements and accounts in case the attackers use them for data fraud. Manchester Ophthalmology provided further training about proper data backup to employees.
The Department of Health and Human Services’ Office for Civil Rights received the breach report indicating that around 6,846 patients were affected by the security breach.
Data Breach at UnitedHealthcare
On January 31, 2020, UnitedHealthcare, the health insurance company in Minnetonka, MN reported a data breach in 2019 that potentially compromised the personal data of some customers in South Carolina.
The data security breach was discovered on December 10, 2019. An unauthorized person viewed members’ health data sometime in July 30, 2019 to Nov 13, 2019 using UnitedHealthcare’s member portal. The compromised data included information such as the members’ first and last names, health plan details, and medical claims details.
UnitedHealthcare filed a breach report to law enforcement and an investigation is ongoing. The health insurance company already implemented measures to stop identical breaches later on. The HHS’ Office for Civil Rights breach portal published the breach indicating that it affected 934 people.
Cook County Health Mailing Error
Chicago, IL Cook County Health notified 2,713 people concerning its error of mailing certain protected health information (PHI) to a third-party vendor. The forwarded data to the vendor was about individuals participating in the #keepingitLITE research. The vendor was tasked to help in mailing the research data.
The research participants list included information such as names, addresses and email addresses. The information was sent to the vendor before entering into a business associate agreement (BAA). A BAA is a requirement by HIPAA to prove that a vendor agreed to implement safety measures to secure data privacy. There’s no assurance that the vendor has sufficient safeguards in place without a BAA.
Cook Country already took steps to ensure there won’t be the same error again.