ProSmile Holdings, Valley Health System, Texas Behavioral Health Network, and City of Homer Affected by Data Breach

ProSmile Holdings Patients Affected by July 2022 Data Breach

Dental service organization ProSmile Holdings, LLC in New Jersey, notified patients on December 22, 2023, regarding an email account breach. The organization detected suspicious activity in July 2022. A third-party cybersecurity firm investigated the unauthorized activity to find out whether any sensitive information was compromised. ProSmile Holdings was informed on December 1, 2022 about the compromise of multiple email accounts and the unauthorized access. Personal and protected health information (PHI) were potentially accessed or stolen.

On January 27, 2023, ProSmile Holdings worked with a vendor to review the impacted files, which was finished on November 29, 2023. The breached data included names, birth dates, driver’s license or other state ID card numbers, Social Security numbers, payment card numbers,
financial account numbers, medical treatment data, diagnosis or clinical details, provider data, prescription details, and medical insurance data.

On March 28, 2023, ProSmile Holdings announced the data breach but did not confirm then the number of individuals impacted or what information was compromised. The HHS’ Office for Civil Rights breach portal does not display the breach report yet. The number of affected individuals is still uncertain.

It is likewise uncertain why Prosmile only discovered the involvement of patient data after 5 months, then two months later started a document review, and finished that review in 10 months. The first announcement regarding the breach was not done for 7 months, and individual notifications were issued after 17 months.

Valley Health System Impacted by the ESO Solutions Data Breach

Valley Health System based in Las Vegas has reported being affected by a ransomware attack and data breach that happened at its software dealer, ESO Solutions, at the end of September. ESO informed Valley Health System concerning the breach at the end of October and affirmed the compromise of patient names, telephone numbers, addresses, and a few personal or medical data. The breach has impacted 5 hospitals of the Valley Health System: Valley Hospital, Desert Springs Hospital, Centennial Hills Hospital, Spring Valley Hospital, and Summerlin Hospital. The impacted persons were sent breach notifications on December 12, 2023.

Cyberattack on Heart of Texas Behavioral Health Network Impacts 63,776 People

The Heart of Texas Behavioral Health Network (HOTBHN), previously known as the Heart of Texas Region MHMR Center, a company helping persons and families with intellectual and developmental disabilities, has reported a recent cyberattack that allowed an unauthorized person to access the sensitive data of 63,776 people.

Upon discovery of the attack on October 22, 2023, network access was quickly shut down. A third-party forensic incident response company investigated the breach to find out the scope of the unauthorized activity. HOTBHN stated it did not find any proof of misuse of patient data, but affirmed the exposure of patient data to a third party. The types of data compromised differed from one person to another and could have contained at least one of these: first and last name, address, birth date, Social Security number, medical and treatment data, medical record number, and medical insurance policy number.

HOTBHN mentioned it has assessed and improved its technical safeguards to avoid the same incident later on and has informed the impacted persons and provided them with free credit monitoring services and identity theft protection services for one year. The DragonForce threat group has professed responsibility for the attack and states it had stolen about 56 GB of data. HOTBHN was included in the group’s data leak website, however, the information is not accessible at this time.

4,264 Individuals Affected by United Healthcare Services, Inc. Email Account Breach

United Healthcare Services, Inc. Single Affiliated Covered Entity (UHS) has submitted a data breach report to the HHS’ Office for Civil Rights that has impacted 4,264 people. An unauthorized person acquired access to the email account of staff of Equality Health, an Accountable Care Company with UHC members. The attacker accessed the account from April 11, 2023 to April 12, 2023. Equality Health informed UHS concerning the breach on October 16, 2023. The review of the account revealed that these data are included in the email account: names, birth dates, addresses, genders, Social Security numbers, Medicare plan data, Medicare ID numbers, UHC member ID numbers, and primary care provider details.

As per UHS, the breach happened because of an employee mistake and a prior impermissible disclosure of patient data. In September 2020, a UHC staff sent member data to an Equality Health staff when trying to confirm if their primary care provider belonged to Equality Health’s network. The UHC staff shouldn’t have sent the data in the email. Both UHS and Equality Health knew about the impermissible disclosure only recently. Equality Health’s investigation revealed no proof of misuse of any breached information.

The impacted persons were informed and Equality Health has provided them with free credit monitoring services. The staff accountable for the preliminary impermissible disclosure was given additional training.

Coos Health and Wellness Cyberattack Impacts 14,040 People

The Coos, OR, Public Health Department, Coos Health & Wellness, has informed 14,040 people about the exposure and potential theft of some of their PHI by unauthorized persons in a cyberattack in April 2023.

Unauthorized activity was discovered in its system on November 28, 2023. The forensic investigation revealed that an unauthorized person acquired access to the system on or about April 28, 2023, and possibly stole selected files. The file analysis affirmed on November 20, 2023, that the compromised data included names, driver’s license numbers, Social Security numbers, state ID numbers, medical data, and medical insurance data. The company already sent notification letters to the impacted people and offered free services through IDX for 12 months. Coos Health & Wellness stated it has applied supplemental security functions to avoid the same occurrences later on.

Lost Storage Device of City of Homer Contains PHI

The City of Homer in Alaska has reported a missing portable storage device that contains the PHI of 1,412 people. The device was utilized to help the City migrate its data, but now it seems to have been missing. A complete search was done yet the device is not found. The device included a backup of health data gathered by the City as it responded to emergency health services and transport requests. The data could have contained birth dates and/or Social Security numbers. City officers have not received any report of attempted or actual misuse of the compromised information.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at