Getty Images
Healthcare data breaches are piling up 3 months into the year
Individuals impacted by these healthcare data breaches at hospitals and other entities are encouraged to monitor account statements and credit reports for suspicious activity.
As of the first week of March, 116 healthcare data breaches have been reported to the HHS Office of Civil Rights (OCR) in 2024, impacting over 13 million individuals. The most common breach types were hacking and IT incidents at healthcare systems across the United States.
In the following article, HealthITSecurity highlights some of the bigger breaches reported to OCR this month.
UNITE HERE
In February, labor union UNITE HERE reported a data security incident that may affect the privacy of information of members of certain local unions and health funds. The organization became aware on October 20, 2023, that an unauthorized third party accessed its systems, prompting it to terminate the access, increase security, reset system passwords, and bring in cyber specialists to assess the nature and scope of the event.
UNITE HERE did not find any evidence of identity theft or fraud but said the third party likely accessed information such as names, Social Security numbers, state identification numbers, driver’s licenses, alien registration numbers, tribal identification numbers, birth certificates, passport numbers, marriage licenses, signatures, financial account information, and medical information.
The labor union notified the 791,273 individuals whose information was in the system at the time of the incident. UNITE HERE is offering credit monitoring and identify theft protection services through IDX and has encouraged members to review account statements and credit reports for suspicious activity.
Northeast Orthopedics and Sports Medicine
Northeast Orthopedics and Sports Medicine notified patients that on November 22, 2023, it became aware of unauthorized activity on its computer network. The health system immediately began an investigation with a third-party specialist.
On February 8, the health system completed its review and confirmed that an unauthorized party may have accessed the personal information of 177,276 individuals. The party accessed names or other personal identifiers in combination with financial account numbers or credit and debit card numbers.
There is no evidence that the information has or will be fraudulently misused, but Northeast Orthopedics is offering impacted people access to complimentary credit monitoring and protection services.
Cogdell Memorial Hospital/Scurry County Hospital District
On or around October 10, 2023, Scurry County Hospital District, doing business as Cogdell Memorial Hospital, discovered unusual activity in its computer systems. Cogdell reset passwords, secured its network, and worked with a third-party forensic firm to investigate.
The hospital discovered that a limited amount of protected health information may have been accessed, although there is no evidence that any information has been misused. The exposed information included patient names, addresses, dates of birth, Social Security numbers, medical record numbers, and medical treatment information.
Cogdell has implemented additional security measures within its network and facilities and is reviewing current policies and procedures related to data security.
The hospital has notified potentially affected individuals—a total of 86,981—via US mail and is providing them with complimentary credit monitoring services. In addition, patients are encouraged to monitor account statements and explanation of benefits forms for suspicious activity or errors and contact major credit agencies to place a fraud alert on their credit report.
McKenzie County Healthcare System
McKenzie County Healthcare System became aware of suspicious activity related to an employee email account on or around October 5, 2023. The health system confirmed the security of its network, emailed the employee in question, and launched an investigation to determine the nature and scope of the incident.
After determining that an unauthorized actor gained access to an employee email account between October 2 and October 4, 2023, McKenzie Health started reviewing the information that may have been involved to identify affected individuals. As of February 13, the review is ongoing.
The exposed information may include the name, address, medical information, and health insurance information of 21,000 people. There is no evidence that the information has been misused.
McKenzie Health has notified impact individuals and applicable regulators. The health system is also offering credit monitoring and identity protection services and recommends that individuals review account statements, explanation of benefits forms, and free credit reports for suspicious activity.
UC San Diego Health
On January 9, UC San Diego Health identified a phishing attack against its employees, resulting in unauthorized access to two employee email accounts. After discovering the event, the hospital secured the email accounts, enhanced security controls, and began an investigation to determine what information was involved and to whom the information belonged.
The accounts were accessed for brief periods between January 9 and January 22. The hospital completed a review of the email accounts’ contents on or around February 26.
The information involved was related to patients in the lung transplant and rheumatology departments. The information may have included patient names, addresses, email addresses, dates of birth, medical record numbers, treatment cost information, health insurance information, medications, provider names, and diagnoses. For some patients, Social Security numbers were exposed.
UC San Diego Health said it is continuing to improve security to minimize the risk of similar incidents in the future and is providing phishing prevention training and education to employees. The hospital notified individuals whose information was involved in the event and is offering complimentary credit monitoring and identity theft protection services to those whose Social Security number was involved.