Third Party Data Breaches Documented by Apple Valley Clinic & BioTel Heart

Apple Valley Clinic based in Minnesota has begun sending notifications to 157,939 patients regarding the compromise of some of their protected health information (PHI) due to a ransomware attack on one of its information technology vendors.

Apple Valley Clinic, which is part of Allina Health, used Netgain Technology LLC for hosting its IT network and computer systems. In November 2020, Netgain suffered a ransomware attack that took offline its data centers. Netgain alerted Apple Valley Clinic on December 2, 2020 concerning the exposure of patient information in the ransomware attack. Allina Health obtained confirmation on January 29, 2021 regarding the involvement of patient information.

The types of data compromised included names, dates of birth, bank account and routing numbers, Social Security numbers, patient billing data, and a number of medical information such as symptoms and diagnoses. Whilst a number of healthcare providers had PHI exposed, Apple Valley Clinic was the only Allina Health location to be affected.

Since the breach, Apple Valley Clinic has taken steps to strengthen data security, such as switching to the electronic health record system utilized by Allina Health. Netgain is still investigating the attack and is tracking any negative results from the breach.

Up to now, Apple Valley Clinic has not gotten any reports that suggest the misuse of any PHI in the attack; nevertheless, so as to make sure impacted patients are secured, complimentary credit monitoring and identity theft protection services are being provided.

BioTel Heart Notifies 38,575 Patients Concerning Online PHI Exposure

BioTel Heart, a cardiac data company, stated that the PHI of 38,575 patients was exposed on the internet because of a breach at one of its vendors.

BioTel Heart, a trade name that is also employed by LifeWatch Services Inc. and CardioNet, LLC, was informed of a breach that occurred on January 28, 2021 when a patient found out that some of their PHI can be accessed on the web after doing a Google search. An investigation was begun to identify the reason for the breach which showed that one of its vendors was unable to keep safe an Amazon S3 bucket, which caused the accessibility of patient information via the search engine results. The investigation proved that patient data was available online from October 17, 2019 to August 9, 2020.

The following types of data accessible by means of the search engines: names, contact details, dates of birth, health insurance details, and health data associated with remote cardiac monitoring services, like diagnoses, diagnostic tests, prescribing physicians’ names, and treatment data. Although BioTel Heart does not process Social Security numbers, a number of Social Security numbers were likewise breached.

BioTel Heart has affirmed that the vendor corrected the problem and protected the data on August 9, 2020. Any business partnership with the vendor was already ended.

The vendor was informed concerning the breach via Amazon subsequent to the uncovering of the compromised information by a security researcher, as documented in the August 2020 Databreaches.net report. The vendor appears not to have informed BioTel Heart about the breach.