Victor/Adobe Stock

Over 611K Impacted in Most Recent String of Healthcare Data Breaches

Healthcare data breaches continue to increase in severity—a cyberattack at Norwood Clinic impacted 228K individuals and a Denver cardiology practice breach hit 287K.

Healthcare data breaches continue to increase in severity and scope as organizations grapple with the ever-changing cyber threat landscape.

Outlined below, the most recently reported data breaches collectively impacted over 611,000 individuals. To mitigate risk, healthcare organizations should review their cybersecurity programs and practice cyber incident response plans.

Norwood Clinic Cyberattack Claims 228K Victims

Norwood Clinic in Birmingham, Alabama suffered a cyberattack that impacted 228,000 individuals, the Office for Civil Rights (OCR) data breach portal showed.

On October 22, 2021, Norwood Clinic discovered that it was the victim of a cyberattack that resulted in unauthorized data access, a notice on the clinic’s website explained. Norwood said it immediately took steps to secure its systems and engaged cybersecurity experts to conduct an investigation.

“However, the investigation was unable to confirm the specific information that may have been accessed,” the notice stated.

“Therefore, out of an abundance of caution, Norwood is providing notice to all of its patients, regardless of whether their information was in fact subject to unauthorized access or acquisition. Norwood has no reason to believe that any individual’s information has been misused as a result of this event.”

The impacted server contained patient names, contact information, driver’s license numbers, Social Security numbers, birth dates, health insurance policy numbers, and limited health information.

Norwood Clinic said that it has since implemented revised email policies, added password complexity rules, and updated network security hardware and login mechanisms.

South Denver Cardiology Associates Breach Impacts 287K

South Denver Cardiology Associates (SDCA) suffered a healthcare data breach that impacted 287,652 individuals. SDCA discovered unusual network activity on January 4, 2022, a notice on its website stated.

The practice engaged its incident response plan and took additional steps to secure the network. Further investigation revealed that an unauthorized party had accessed the network between January 2 and January 5 and accessed certain files.

The files contained Social Security numbers, driver’s license numbers, health insurance information, names, birth dates, clinical information, and patient account numbers.

SDCA said it had no reason to believe that any patient information was misused as a result of the incident.

“Events of this nature are affecting an increasing number of companies in the U.S. and around the world. The federal government, law enforcement, and industry experts are working in tandem to address this activity,” the notice concluded.

“We appreciate and thank you for your continued trust in South Denver Cardiology Associates as we work through the changing information landscape, and we are here for any questions or future concerns.”

Ultimate Care Phishing Attack Exposes Nearly 16K

Brooklyn, New York-based Ultimate Care began notifying 15,788 individuals of a phishing attack that occurred in April 2021. In a notice on its website, the licensed home care agency said that an unauthorized party gained access to a limited number of employee email accounts.

It is unclear when Ultimate Care first discovered the incident. The notice said that on December 23, 2021, after an extensive investigation, Ultimate Care discovered that an unauthorized actor had maintained access to employee email accounts from April 7 to June 2, 2021.

The unauthorized party may have accessed names, passport numbers, Social Security numbers, driver’s license numbers, financial account information, medical information, usernames and passwords, and health insurance information.

Ultimate Care began notifying impacted individuals of the breach on February 22, 2022. The HIPAA Breach Notification Rule requires covered entities to notify affected individuals within 60 days of discovering a breach, with few exceptions.

“Protecting the privacy of personal information is our top priority,” the notice stated.

“We are committed to maintaining the privacy of personal information in our possession and have taken many precautions to safeguard it. We continually evaluate and modify our practices and internal controls to secure personal information.”

80K Affected By Memorial Village ER Hacking Incident

On March 9, Memorial Village ER in Texas began sending breach notification letters to 80,000 individuals following a February 18 hacking incident.

The incident potentially exposed names, birth dates, addresses, and COVID-19 testing results. Memorial Village ER said that the data was contained on a HIPAA-compliant secure server. However, an “unknown entity” accessed and hacked the server.

Memorial Village ER is offering impacted individuals 12 months of identity theft monitoring.

Next Steps

Dig Deeper on Healthcare data breaches