Latest Healthcare Data Breaches Impact Providers, Business Associates

Signature Healthcare Suffers Data Security Incident

Signature Healthcare Corporation (SHC) in Brockton, Massachusetts, suffered a data breach that potentially resulted in personal information exposure. On November 4, 2021, SHC discovered that an unauthorized individual had temporarily accessed clinician employees’ email accounts beginning on October 16.

SHC emphasized that it had no evidence of identity theft or fraud, and it had no evidence that the unauthorized individual actually accessed patient information.

However, the email accounts contained patient names, sex, birth date, diagnoses, medical history, test results, and medical record numbers.

“SHC has committed to taking steps to help prevent something like this from happening again, including reviewing its technical controls and procedures,” the organization said in a notice to patients.

It is unclear how many individuals were impacted by the incident.

Colorado Physician Partners Email Hacking Incident Impacts 12.8K

Colorado Physician Partners (CPP) suffered a data breach due to an email hacking incident, a notice on its website stated. According to the Office for Civil Rights (OCR), the breach impacted 12,877 individuals.

On January 27, 2022, CPP discovered that an unauthorized individual gained access to a CPP employee’s email account using a foreign IP address. The hacker then used the employee’s email account to send a fake invoice to another employee.

“The recipient found the invoice request unusual, which led to the discovery that the employee’s email had been hacked,” the notice explained.

“CPP immediately secured the employee’s email account to block the access and started investigating the incident.”

Further investigation revealed that the hacker had used syncing and potentially copied all emails from the employee’s inbox. CPP could not determine whether the hacker viewed any information. Still, the email account contained names, phone numbers, addresses, email addresses, diagnoses, medication information, billing and coding information, insurance ID numbers, and dates of service.

“In response, CPP began enhancing the protections that were already in place before this incident. CPP worked with its IT professionals to implement password resets and made changes to settings and how employees gain access to their email accounts,” the notice continued.

“CPP is reinforcing security awareness through reminders and additional training to its entire workforce. Additionally, CPP reported this incident to law enforcement for further investigation.”

Healthcare Billing Administrator Breach Impacts 56K

Advanced Medical Practice Management (AMPM), a New Jersey-based healthcare billing administrator, suffered a data breach that impacted over 56,000 individuals. A notice on the business associate’s website explained that AMPM discovered suspicious activity on August 5, 2021.

Further investigation revealed that an unauthorized actor acquired files from the company’s environment between July 11 and July 13, 2021. The files contained names, Social Security numbers, driver’s license numbers, financial account information, birth dates, passport numbers, medical record numbers, prescription information, Medicare and Medicaid numbers, diagnoses, electronic signature information, and other medical information.

AMPM said it “responded quickly to this event” and has been working to notify impacted individuals.

“Further, as part of its ongoing commitment to the privacy and security of personal information in its care, AMPM is reviewing and enhancing its existing policies and procedures relating to data protection and security,” the notice stated.

“AMPM also instituted additional security measures, as well as provided additional training to employees, to mitigate any risk associated with this incident and to better protect against future incidents. AMPM is also notifying relevant state and federal regulators, as required.”

AMPM recommended that impacted individuals remain vigilant against identity theft and fraud incidents.

East Tennessee Children’s Hospital Data Breach Update

As previously reported, East Tennessee Children’s Hospital (ETCH) experienced a security issue that led to some service disruptions in mid-March. In an April update, ETCH informed patients that an unauthorized actor potentially copied or viewed documents on the hospital’s system between March 11 and March 14.

ETCH is actively working on determining the scope of the incident and is conducting a review of the impacted data.

So far, ETCH determined that the accessed systems contained names, birth dates, Social Security numbers, demographic information, driver’s license numbers, medical information, credit or debit card information, usernames and passwords, and health insurance information.

“Along with providing outstanding patient care, the confidentiality, privacy, and security of information within our care are among our highest priorities,” ETCH explained.

“Upon discovering this incident, we promptly took steps to secure our systems and investigate the full scope of the incident. While the investigation of and response to the event are ongoing, we have taken additional steps to further enhance the security of our systems.”

ETCH is still working on notifying impacted individuals of the incident.