Gorodenkoff - stock.adobe.com

NY Ambulance Service Suffers Healthcare Data Breach, 318K Impacted

In addition to Empress EMS, Lubbock Heart & Surgical Hospital, Medical Associates of the Lehigh Valley, and more reported healthcare data breaches recently.

Yonkers, New York-based Empress Emergency Medical Services (EMS) reported a breach to HHS that impacted 318,558 individuals.

A notice on its website stated that Empress EMS identified a network incident that resulted in the encryption of some of its systems on July 14. Further investigation determined that an unauthorized party gained access to Empress’ systems on May 26 and copied a small subset of files in July.

The files included patient names, insurance information, dates of service, and some Social Security numbers. Empress EMS encouraged impacted individuals to remain vigilant and review their healthcare statements for accuracy.

“We take this matter very seriously and deeply regret any inconvenience to our patients,” the notice stated.

“To help prevent something like this from happening again, we strengthened the security of our systems and will continue enhancing our protocols to further safeguard the information in our care.”

Lubbock Heart & Surgical Hospital Experiences Breach, 23K Impacted

In mid-July, Texas-based Lubbock Heart & Surgical Hospital discovered a data security incident and immediately took steps to secure its systems, a notice on the hospital’s website stated.

Further investigation revealed that an unauthorized party had accessed the hospital’s systems between July 11 and 12 and attempted to copy certain files. The investigation was unable to determine whether the unauthorized party successfully accessed or copied any files.

The files contained patient names, contact information, dates of birth, Social Security numbers, demographic information, diagnosis and treatment information, medical record numbers, provider names, dates of service, and prescription information.

Lubbock Heart & Surgical Hospital notified HHS-OCR of the breach, which impacted a total of 23,379 individuals. The hospital recommended that patients carefully review health insurance statements and offered credit monitoring services to those whose Social Security numbers were involved.

“We take this incident very seriously and sincerely regret any concern this may cause,” the notice concluded.

“To help prevent something like this from happening again, we enhanced its security safeguards and technical measures to further protect and monitor its systems.”

75K Affected by Ransomware Attack at Medical Associates of the Lehigh Valley

Pennsylvania-based Medical Associates of the Lehigh Valley (MATLV) notified 75,628 individuals of a “sophisticated ransomware attack” it experienced in early July.

A notice on MATLV’s website said that the clinic immediately launched an investigation and learned that certain files were potentially subject to unauthorized access.

The files contained patient names in combination with Social Security numbers, medical treatment information, lab results, addresses, email addresses, birth dates, driver’s license numbers, and medication information.

“In response to this incident, MATLV has partnered with third-party forensic specialists to fully investigate the nature and scope of this matter, and to evaluate and reinforce existing security measures and facilities within the network to ensure optimal data security,” the notice stated.

“Although MATLV has no evidence of actual or attempted fraudulent misuse of information as a result of this incident, individuals are nonetheless encouraged to monitor their account statements and explanation of benefits forms for suspicious activity and to detect errors.”

The Physicians’ Spine and Rehabilitation Specialists of Georgia Discloses Breach

The Physicians’ Spine and Rehabilitation Specialists of Georgia notified more than 38,700 patients of a cybersecurity incident. The practice was alerted to the incident on July 11 and immediately began the process of changing passwords and restoring information security systems, a notice on its website stated.

“The investigation team determined that, despite numerous security measures that were in place prior to the incident - an outside, unauthorized party accessed the information technology systems the week before discovery and claims to have taken certain information/records that could be posted,” the notice continued.

The Physicians’ Spine and Rehabilitation Specialists of Georgia were unable to determine what, if any personal information was taken during the incident. However, the practice noted that “if any individual’s medical or billing information was taken,” it may have included names, contact information, birth dates, Social Security numbers, driver’s license numbers, diagnoses, treatment information, and other information that may vary by patient.

The practice said that it does not store patient credit card or bank account numbers.

“In an abundance of caution, the Practice is offering affected parties free credit monitoring and identity theft insurance through Experian – solely to give patients peace of mind,” the practice assured patients.

Next Steps

Dig Deeper on Healthcare data breaches