Getty Images/iStockphoto
4 Organizations Report Recent Healthcare Data Breaches
A substance abuse treatment facility in Washington, a community healthcare system in Virginia, a health plan in New Jersey, and a health clinic in Kansas all recently notified patients of healthcare data breaches.
Healthcare data breaches remain a persistent problem for healthcare organizations, with no signs of slowing down. Despite increased efforts to strengthen cybersecurity, the industry remains a prime target for threat actors seeking to exploit sensitive patient information, underscored by four recently reported breaches, which are detailed below.
Evergreen Treatment Services Suffers Breach, 21K Impacted
Washington-based substance abuse treatment facility, Evergreen Treatment Services (ETS), notified the US Department of Health and Human Services (HHS) of a potential data breach that may have exposed the protected health information (PHI) of approximately 21,325 individuals who sought care at the facility.
After learning of a cybersecurity incident that impacted IT systems, ETS immediately engaged a third-party expert to assess, contain, and remediate it. ETS later determined that an unauthorized party had gained access to its network, exposing name, address, date of birth, Social Security number, and treatment information.
“While the investigation did not find any instances of fraud or identity theft that have occurred as a result of this incident, out of an abundance of caution, ETS is notifying individuals whose personal information was involved and providing resources they can use to help protect their information,” the report stated.
In response to the recent data breach, ETS has announced that it will provide affected individuals with complimentary credit monitoring and identity theft protection services through IDX. Furthermore, the organization advises that individuals carefully review any statements they receive from their healthcare providers or insurers. If individuals notice any discrepancies, such as medical services they did not receive, ETS recommends immediately contacting the relevant provider or insurer to address the issue.
“ETS takes its responsibility to safeguard personal information seriously and regrets any concern this incident may have caused,” the report stated. “As part of ETS’s ongoing commitment to the security of information, the organization has reviewed and enhanced its data security policies and procedures in order to help reduce the likelihood of a similar event in the future.”
Sentara Healthcare Alerted to PHI Exposure Following Anonymous Tip
Sentara Healthcare, based in Virginia, was made aware of a data security incident resulting in the exposure of certain patient information following a tip received via the Sentara Compliance Hotline. The incident impacted 741 individuals.
On December 19, 2022, an anonymous individual reported coming across a Medicare remittance document online while searching for information on converting PDF files to a different format.
Upon investigation, Sentara confirmed that a PDF copy of a Medicare remittance report for Sentara Lab services had been uploaded to the Adobe Acrobat site on October 17, 2022.
On that same date, the community healthcare system learned that the individual who uploaded the document was an employee of their business associate, Coronis Health, with whom Sentara Lab Services contracts to process billing-related information for lab services.
The impacted information included patient’s name, Medicare ID number, the date of service, Current Procedural Terminology or “CPT” codes (codes used to describe medical procedures performed by health care providers), the last four digits of the account number, the location of service (the Sentara Lab), and any outstanding balance on the account.
Once Coronis was made aware of the issue, the organization promptly took action by conducting an investigation and removing the information from the Adobe Acrobat site on December 20, 2022. The employee who uploaded the information was terminated, and Coronis retrained and educated their entire team on their policies and procedures for handling protected health information.
“We take our responsibility to safeguard personal information seriously and apologize for any inconvenience or concern this incident might cause,” Sentara stated in a breach notification letter to patients. “We are committed to taking steps to help prevent something like this from happening again, including evaluating additional platforms for educating staff and reviewing technical controls.”
Health Plan of Bridgewater-Raritan Regional School District Reports Data Breach
Bridgewater-Raritan Regional School District (BRRSD) recently notified 3909 individuals of a data breach involving unauthorized access to health plan information.
According to a notice provided on its website, BRRSD detected suspicious activity on its computer network on December 12, 2022. The regional school district immediately engaged an external cybersecurity film to launch an investigation.
Further investigation revealed that an unauthorized party accessed information of employees enrolled in its Health Benefit Plan. Between December 10 and December 12, the threat actor accessed several files containing names, Social Security numbers, and enrollment selection information.
Employees impacted by the breach were notified on January 27, 2023, and were provided complimentary memberships to an identity theft monitoring service.
Kansas Health Clinic Announces Data Breach
Kansas-based Hutchinson Clinic experienced a healthcare data breach involving the exposure of some patient information. The incident was discovered in December 2022, and the healthcare clinic began notifying patients on February 17, 2023.
The practice promptly launched an investigation with the assistance of third-party forensic specialists after discovering suspicious activity related to certain computer systems around late December.
Further investigation revealed that an authorized party accessed Hutchinson Clinic’s network between December 19, 2022, and December 21, 2022, acquiring some patient information.
Following the investigation, Hutchinson “undertook a comprehensive review of the at-risk files to identify those current and former patients, and any current and former employees, whose information may have been impacted by this event. Once this comprehensive review is complete, we will continue to work as quickly as possible to mail a notification letter directly to potentially impacted individuals, which will include resources that individuals can reference to further protect their information.”
While the number of individuals impacted has yet to be determined, the organization revealed the information included name, contact information, date of birth, Social Security number, driver’s license number, health insurance information, a medical record number (MRN), medical history, diagnosis, and treatment information, and physician name.