jayzynism - stock.adobe.com

Fallon Ambulance Service Data Breach Impacts 911K Individuals

The now-defunct ambulance service suffered a data breach when a threat actor accessed its data storage archive.

Fallon Ambulance Service, a medical transportation company that served the greater Boston area, reported a data breach that impacted more than 911,000 individuals. Fallon was a subsidiary of Transformative Healthcare until December 2022, when it ceased operations.

Although the company was no longer providing services, it maintained a data storage archive to fulfill legal obligations. In April 2023, Fallon discovered that an unauthorized party had accessed the data storage archive from February to April and obtained files containing personal information.

The files contained names, addresses, Social Security numbers, COVID-19 testing and vaccination information, medical information, and information provided to Fallon in connection with employment. Fallon notified impacted individuals of the breach in December 2023.

“While Fallon is no longer operational, it nonetheless takes the protection of information seriously and has taken steps to secure data that may be stored in its archives for compliance with its legal obligations,” a notice provided to the Maine Attorney General’s Office stated.

Fallon offered identity theft and fraud protection services to the impacted individuals.

Massachusetts Hospital Suffers Christmas Day Cyberattack

Anna Jaques Hospital in Newburyport, Massachusetts confirmed a cyberattack that occurred on Christmas Day, December 25. The not-for-profit community hospital is part of Beth Israel Lahey Health.

According to a statement from the hospital shared with WCVB, the attack impacted the hospital’s electronic healthcare records and forced it to temporarily divert ambulances to nearby hospitals.

"Recovery efforts are still in progress," a spokesperson told the local news outlet. "Patient safety remains our top priority, and the hospital remains open to all patients. We appreciate the community’s patience as we work through this investigation.”

It is unclear at this time how many individuals were impacted.

NYC Health + Hospitals Notifies Patients of Possible PHI Disclosure

NYC Health + Hospitals/Kings County notified patients of a potential protected health information (PHI) disclosure that occurred between October 2021 and August 2023. A Kings County volunteer improperly accessed a laboratory to assist in the processing of lab test specimens for Kings County patients, despite not being authorized to work in the lab.

The implicated PHI included patients’ names, dates of birth, medical record numbers, lab tests ordered, and locations within the hospital.

The hospital stated that it had no reason to believe that the PHI had been misused in any manner.

“NYC Health + Hospitals has taken measures to ensure this type of incident does not reoccur. Specifically, the employee who granted the volunteer access to Kings County is no longer employed by NYC Health + Hospitals and is barred from future employment with NYC Health + Hospitals,” the hospital told patients.

“The volunteer who inappropriately entered the Kings County laboratory is also no longer volunteering at NYC Health + Hospitals and is barred from future volunteer work or employment with NYC Health + Hospitals. In addition, a notice was sent to NYC Health + Hospitals laboratory personnel advising them that they are prohibited from allowing non-employees access to any of its laboratories.”

Next Steps

Dig Deeper on Healthcare data breaches