Allwell Behavioral Health Services based in Zanesville, OH, has reported that an unauthorized individual accessed a computer system employed to keep quality assurance data associated with the treatment of patients. The healthcare provider detected unauthorized access on March 5, 2022, with the following forensic investigation confirming the system breach on March 2, 2022.
The investigation into the breach ended at the end of April and confirmed that the files comprising sensitive data was potentially copied during the attack, though when sending notifications to impacted persons there were no reports received of any attempted or actual patient data misuse.
The types of data in the files differed from one patient to another and might have contained data like names, birth dates, Social Security numbers, telephone numbers, provider of treatment, treatment activity and date, treatment site, and payer details.
Based on the breach report published on the HHS’ Office for Civil Rights webpage, there were 29,972 patients impacted. Free identity theft protection services were provided to eligible people for one year, and for two years for affected patients in DC, CT, MA, or RI. Allwell Behavioral Health Services said its IT and computer systems were improved to boost security and avoid similar unauthorized access.
WellDyneRx Reports Email Account Breach
WellDyneRx, a pharmacy benefit manager, lately began informing 5,122 persons concerning an unauthorized person who acquired access to the firm’s email account that included sensitive patient data. WellDyneRx discovered suspicious activity in the email account last December 2, 2021, and took quick action to protect the account. The third-party forensic investigation stated that an unauthorized person accessed the account from October 30, 2021 to November 11, 2021.
There was no proof of data theft found, however, the probability of unauthorized access to ePHI cannot be excluded. The analysis of the email account showed that these types of data were possibly compromised: names, Social Security numbers, birthdates, driver’s license numbers, treatment data, medical insurance details, contact data, prescription details, and other medical/health data. Steps were taken to increase security to avoid the same attacks later on.