Alex - stock.adobe.com

CorrectHealth Suffers Email Account Data Breach, 54K Impacted

CorrectHealth, First Street Family Health, and Gifted Healthcare all disclosed data breaches recently.

Georgia-based CorrectHealth (CH), which provides healthcare to individuals inside correctional facilities, reported a data breach to the Maine Attorney General’s Office that impacted 54,000 individuals.

According to the breach notice, CorrectHealth discovered suspicious activity on its employee email accounts on November 10, 2021. CorrectHealth said it immediately launched an investigation into what information was involved, which spanned from March to July 2022.

The incident potentially impacted full names, Social Security numbers, and addresses. CH said it engaged a cybersecurity firm to investigate the incident and complied with the FBI “as part of a larger investigation into the threat group responsible.”

“Additionally, CH issued a company-wide password reset for all employees, employed an advanced phishing service for CH’s email tenant, began putting disclaimers on all externally received emails, implemented Multi-Factor Authentication for all administrative staff, began rolling out a Single Sign On solution for clinical staff, and effected weekly data security and monthly simulated phishing training for all employees,” CorrectHealth stated.

CorrectHealth said it was not aware of any attempted misuse of the impacted information.

First Street Family Health Discloses Cyberattack, PHI Deletion

First Street Family Health (FSFH) in Colorado notified 7,310 individuals of a cyberattack that resulted in the automated deletion of files containing protected health information (PHI). FSFH discovered the attack in mid-July and was able to restore most of the files from untouched backups.

However, FSFH was not able to recover records from June 28 to July 15 because the backups were also deleted. Additionally, the unauthorized party potentially viewed and acquired information from the small percentage of patients who had medical referral forms on file.

“There is no indication the deleted files were first viewed or exported by the cyber criminal,” FSFH told patients. “FSFH was not locked out of the files through encryption as is often the case. Instead, its files were programmatically deleted.”

The information impacted by the incident included full names, birth dates, phone numbers, addresses, Social Security numbers, email addresses, dates of service, diagnoses, conditions, lab results, medication information, health insurance identification cards, and billing information.

FSFH said it performed a full password reset and enhanced its security measures. Additionally, FSFH reported the incident to law enforcement and engaged a national cybersecurity firm.

Gifted Healthcare Breach Impacts 13K

Travel nurse agency Gifted Healthcare reported a breach to the Maine Attorney General’s Office that impacted 13,770 individuals.

It is unclear when Gifted Healthcare first discovered the incident, but an unauthorized party was able to access three employee email accounts between August 25 and December 10, 2021. Gifted Healthcare finished its investigation into the incident in July 2022.

The breach impacted Social Security numbers, names, driver’s license numbers, addresses, financial information, and medical information.

Gifted Healthcare recommended that impacted individuals remain vigilant against instances of identity theft and fraud.

Next Steps

Dig Deeper on Healthcare data breaches