Getty Images

3 Organizations Report Recent Healthcare Data Breaches

Healthcare data breaches are continuing to impact small and large organizations across the country.

Healthcare data breach notifications have not slowed down in the new year, and organizations of all sizes continue to suffer from security incidents.

For example, Tallahassee Memorial HealthCare in Florida and Atlantic General Hospital in Maryland are both actively responding to cyberattacks at the time of publication.

The three breaches described below all occurred in December 2022 and all resulted in potential protected health information (PHI) exposure.

Cardiovascular Associates Suffers Breach

Cardiovascular Associates (CVA) recently notified individuals of a breach that occurred at one of its locations in Alabama. On December 5, 2022, CVA discovered unauthorized activity within its systems.

Further investigation revealed that an unauthorized party was able to access and copy some data from CVA’s network between November 28 and December 5. The data involved in the breach may have included Social Security numbers, names, demographic information, medical treatment information, billing and claims information, financial data, and passport and driver’s license numbers.

“We take the security of personal information seriously. As soon as the incident was discovered, a forensic investigation was launched, and steps were taken to mitigate and remediate the incident and to help prevent further unauthorized activity,” CVA stated.

“In response to this incident, security and monitoring capabilities are being enhanced and systems are being hardened as appropriate to minimize the risk of any similar incident in the future.”

Regal Medical Group Reports Breach

Regal Medical Group, an affiliate of Heritage Provider Network (HPN) that consists of Lakeside Medical Organization, Affiliated Doctors of Orange County and Greater Covina Medical Group, discovered a breach in December 2022.

On December 2, Regal employees “noticed difficulty in accessing some of our servers,” the notice to patients stated. Regal later detected malware on its server which had been used by a threat actor to access and exfiltrate sensitive data.

The data involved in the incident may have included names, addresses, Social Security numbers, dates of birth, lab test results, prescription data, diagnoses, radiology reports, health plan numbers, and phone numbers.

Regal worked with third-party vendors to assist in its response and managed to restore access to its systems. The medical group notified the authorities and is in the process of notifying impacted individuals of the breach.

Aspire Surgical Suffers Breach

Salt Lake City, Utah-based UT Specialty Dental Services, also known as Aspire Surgical, notified individuals of a breach that occurred in early December 2022.

On December 7, Aspire Surgical discovered a “cybersecurity incident that impacted its IT systems” and immediately engaged third-party experts to remediate.

Further investigation determined that some patient information may have been exposes, including names, patient account numbers, amount paid, and dates of service. No treatment records, Social Security numbers, or financial information was exposed.

“Aspire Surgical takes its responsibility to safeguard personal information seriously, and regrets any concern this incident may have caused,” the notice stated.

“As part of Aspire Surgical’s ongoing commitment to the security of information, the organization has reviewed and enhanced its data security policies and procedures in order to help reduce the likelihood of a similar event in the future.”

Next Steps

Dig Deeper on Healthcare data breaches