Gorodenkoff - stock.adobe.com

Healthcare Data Breach At Kansas Hospital Impacts 19K

McPherson Hospital suffered a ransomware attack in July 2022 that potentially exposed patient protected health information.

Kansas-based McPherson Hospital recently notified 19,020 individuals of a healthcare data breach. According to the May 4 notice, McPherson Hospital fell victim to a ransomware attack on July 12, 2022, in which an unauthorized party accessed and disabled some of its systems.

Upon discovery, the Kansas hospital immediately engaged third-party experts to secure its environment. The team concluded its investigation on March 15, 2023, determining that the unauthorized party may have acquired certain protected health information (PHI) during the breach.

There have been no reports of misuse, but the information that was involved in the incident may have included names, Social Security numbers, medical billing information, health insurance information, dates of birth, and treatment information.

“Data security is one of our highest priorities,” the notice stated. “Upon detecting this incident we moved quickly to initiate a response, which included conducting an investigation with the assistance of IT specialists and confirming the security of our network environment. We have also reviewed and enhanced our technical safeguards to prevent a similar incident.”

University Urology Breach Impacts 56K

New York-based University Urology (UU) notified 56,816 individuals of a recent data security incident that potentially exposed protected health information. UU detected suspicious activity within its network on February 1, 2023, prompting it to engage a firm to investigate further.

The investigation determined that an unauthorized party had gained access to PHI, including names, addresses, usernames and emails in combination with a password or security question answer, medical treatment information, test results, prescription information, dates of birth, health insurance policy numbers, health plan beneficiary numbers, invoices, and subscriber identification numbers.

UU said it was unaware of any actual misuse of this data stemming from the incident but encouraged individuals to remain vigilant and monitor credit reports. UU took steps to reset all passwords, limit remote access to authorized personnel, ban malicious files, and export backup data of all critical systems.

UnitedHealthcare Reports Data Breach Tied to Credential Stuffing

UnitedHealthcare (UHC) reported a data breach to the Montana Attorney General’s Office in April. UHC said that the breach occurred between February 19 and February 25, 2023, after UHC identified suspicious activity on the UHC mobile application.

Information that may have been obtained without authorization included names, dates of birth, addresses, provider names, dates of service, health insurance member ID numbers, claim information, and group names and numbers.

Further investigation revealed that the UHC application was the target of credential stuffing.

“We deeply regret this incident and any inconvenience or concern this may cause. Upon discovery, we took prompt action to investigate the matter,” the notice stated. “Your portal account was locked to prevent any further access, and we initiated a forced password reset.”

UHC recommended that impacted individuals review bank and credit card statements for suspicious activity.

Next Steps

Dig Deeper on Healthcare data breaches