Recent Email Account Breaches and Cyberattacks on Healthcare Providers

The Oklahoma Institute of Allergy Asthma and Immunology was compelled to stop trading as it got up from a cyberattack. Its patients were pressured to wait to get health care or get treatment at other establishments. The asthma and allergy clinic was shut down for about two weeks due to the attack, however, the closure seems to be momentary. The clinic furloughed personnel while systems were deactivated and efforts were made to recover systems. The closure was required as the clinic could not access patient files. The clinic has not posted a breach notification on its site or reported the breach to government bodies, therefore the magnitude to which patient information was exposed is not yet known.

Bigger healthcare companies may momentarily reroute ambulances and stop a number of visits after a ransomware attack yet do not usually stop operations. Smaller healthcare companies may have no option. Lately, Murfreesboro Medical Clinic & SurgiCenter in Tennessee stopped operations for two weeks as it recovered from a cyberattack. A 2022 survey showed that 25% of healthcare companies would be compelled to briefly stop operations in case of a ransomware attack.

The health system Uintah Basin Healthcare based in Roosevelt, UT has learned that hackers acquired access to its system and might have looked at or acquired the protected health information (PHI) of 103,974 patients. The company detected suspicious network activity on November 7, 2022, and secured its digital environment immediately. Third-party cybersecurity professionals investigated the breach and confirmed on or about April 7, 2023, the potential access of patient data. The breach notification letter doesn’t say when the hackers first gained access to the network.

The analysis of the breached files affirmed that they included a variety of PHI, which differed from one person to another. That data is about patients who got healthcare services from March 2012 to November 2022. The exposed data included names, birth dates, addresses, Social Security numbers, medical insurance data, diagnoses/conditions, prescription drugs, test data, and procedure details. The sending of notification letters was done on April 10, 2023.

 Uintah Basin Healthcare offered free credit monitoring and identity protection services to the people affected by the breach. It improved security to stop the same incidents from happening later on. The SentinelOne endpoint detection and the response solution were included in 24/7 monitoring.

Asian Health Services based in Oakland, CA, has just notified patients concerning a data security incident that impacted an employee’s email account recently. The company detected suspicious activity in the account on February 13, 2023 and immediately secured the account to stop continuing unauthorized access. A forensic investigation was carried out to find out the magnitude of the incident. It was confirmed that the compromise of the email account happened from February 7, 2023, to February 13, 2023, with the analysis of emails and attachments affirming the inclusion of names, dates of birth, medical record numbers,  telephone numbers, and medical data like diagnoses.

Asian Health Services didn’t find any proof that suggests the compromise of patient data, however, the possibility cannot be excluded. The company provided free 12-month credit monitoring, fraud support, and remediation services to the affected individuals. Asian Health Services stated a third-party cybersecurity company has affirmed that the email account is no longer accessible, and extra email safety measures were executed to give an extra layer of security.

The New Mexico Department of Health has lately announced the impermissible disclosure of the PHI of 49,000 dead patients to a reporter. The reporter asked for details subject to the Inspection of Public Records Act and was given a spreadsheet that contained all demises in New Mexico starting January 2020 up to December 2021. It was then found out that the spreadsheet included PHI that must not have been exposed. The Department of Health stated the spreadsheet didn’t have names, dates of birth, addresses, or contact details.

Oyate Health Center based in South Dakota found an unintentional impermissible disclosure of the PHI of 575 individuals. The data lists pharmacy visits from August 31, 2021 to September 8, 2021.

At the time of Oyate Health Center’s move to a new clinic area, there were boxes of extra supplies given to community groups. On March 7, 2023, one of those groups opened up one of the boxes and identified a weekly pharmacy report that lists patients and their chart number, date visited, and a diagnosis code associated with the prescribed medicines they were filling. Two people at the non-profit group saw the list, and so they locked the list inside a safe location until it can be collected.

As per HIPAA, this incident is an impermissible disclosure. Oyate Health Center stated the list was seen by other people and the information does not seem to have been missed. Because of the incident, the health center implemented new internal controls, guidelines, and procedures and notified the impacted individuals.

Lake County Health Department and Community Health Center located in Illinois have informed 1,700 patients about the potential compromise of some of their personal and medical data because of an email security breach. The health center detected the security incident on March 6, 2023. The investigation showed that an unauthorized person accessed the email account.

A third-party digital forensics company looked into the incident but did not find any proof of data transfers involving the email account; nevertheless, unauthorized access to patient data cannot be excluded. The analysis of the account showed that it included partly de-identified PHI about Lake County locals who likely had a communicable disease or an illness that was part of a cluster or outbreak that was looked into by the health department from April 23, 2012 to March 6, 2023.

The compromised data contained one or more of these types of data: names, birth dates, gender, telephone number, addresses, zip codes, email addresses, medical record numbers, diagnoses or disorders, laboratory results, and other treatment data. Extra email security measures have already been applied and the employees are already provided more cyber security training.