Getty Images/iStockphoto

Manufacturing Company Parker-Hannifin Suffers Health Plan Cyberattack, 120K Impacted

Conti ransomware allegedly claimed responsibility for the cyberattack against manufacturing giant Parker-Hannifin.

The Parker-Hannifin Corporation, a manufacturing company that specializes in aerospace hydraulic equipment, suffered a cyberattack on its health plan in March 2022. The notorious Conti ransomware group claimed responsibility for the attack by publishing data that they allegedly stole from Parker, Bleeping Computer reported.

According to the Office for Civil Rights (OCR) data breach portal, the breach impacted 119,513 individuals and affected information related to current and former employees, their dependents, and members of Parker’s Group Health Plans.

The impacted data included names and a combination of Social Security numbers, birth dates, addresses, US passport numbers, financial account information, driver’s license numbers, online account usernames and passwords, dates of coverage, enrollment information, and health insurance plan member ID numbers. For a small number of individuals, dates of service, provider names, claims information, and medical treatment information were also impacted.

Parker detected unusual activity within its IT systems on March 14 and later determined that an unauthorized party had access to its systems between March 11 and March 14. Parker began notifying impacted individuals on May 13 and offered two years of identity theft protection.

“Safeguarding the information held within the company’s systems is critically important to Parker and the company is continuing to take steps to help safeguard its systems and data against the rapidly evolving threats to company information,” the notice stated.

“Parker regrets any inconvenience or concern this incident may cause.”

Massachusetts Community Health Center Suffers Breach, 11K Impacted

Framingham, Massachusetts-based Behavioral Health Partners of MetroWest (BHPMW) recently began notifying 11,288 individuals of a data security incident that occurred in September 2021. BHPMW operates its Behavioral Health Community Partner Program under contract with MassHealth and in partnership with five other provider agencies.

On October 1, BHPMW discovered that an unauthorized actor had copied data from its digital environment. Further investigation revealed that the actor had gained access to and obtained data between September 14 and September 18, 2021. BHPMW began notifying patients of the breach on May 11, 2022.

The impacted data included names, Social Security numbers, birth dates, addresses, health insurance information, medical diagnosis and treatment information, and client identification numbers. BHPMW said it was not aware of any misuse of data as a result of the incident.

“The privacy and protection of personal and protected health information is a top priority for BHPMW, which deeply regrets any inconvenience or concern this incident may cause,” the notice stated.

Arizona Medical Center Faces Malware, 28K Affected

Arizona-based FPS Medical Center began notifying patients of a data security incident that impacted 28,024 individuals. On March 3, FPS Medical Center said it discovered that certain systems on its networks were encrypted with malware.

Further investigation revealed that an unknown actor had access to certain systems between February 28 and March 3.

“Although the investigation was unable to determine whether patient information stored in the impacted systems had actually been viewed or downloaded by the unauthorized actor, we could not rule out the possibility of such activity,” the notice explained.

“Therefore, out of an abundance of caution, a thorough review of the patient information stored within the impacted systems was performed to locate address information for potentially affected individuals in order to provide accurate and complete notices.”

The systems contained names, driver’s license numbers, birth dates, diagnosis information, and health insurance information, along with a limited amount of Social Security numbers.

“We take this event and the security of information in our care very seriously. Upon learning of this event, we immediately took steps to restore our operations and further secure our systems,” the notice continued.

“As part of our ongoing commitment to the privacy of information in our care, we are reviewing our existing policies and procedures and implementing additional administrative and technical safeguards to further secure the information in our systems and reduce the risk of recurrence.”

Unauthorized Party Exfiltrates Data From Schneck Medical Center Systems

Seymour, Indiana-based Schneck Medical Center disclosed a data security incident that impacted a “limited number of patients.” On March 17, Schneck discovered that one or more files had been removed by an unauthorized party on September 29, 2021.

The files contained protected health information (PHI), including names, dates of birth, medical record numbers , driver’s license numbers, addresses, medical diagnoses, health insurance information, and a select number of Social Security numbers and financial account information.

“Schneck Medical Center has no evidence that any of the information was or will be misused,” the notice stated.

“However, out of an abundance of caution, Schneck will notify individuals whose information was included in the limited number of files involved in this incident.”

Schneck said it has since implemented additional security measures.

Next Steps

Dig Deeper on Healthcare data breaches