Duncan Regional Hospital Data Breach Impacts 92K
Duncan Regional Hospital, Crossroads Health, and others disclosed separate healthcare data breaches that collectively impacted hundreds of thousands of individuals.
Oklahoma-based Duncan Regional Hospital (DRH) suffered a data breach in January 2022 that impacted over 92,000 individuals, according to the Maine Attorney General’s Office.
The not-for-profit community hospital discovered a “data security incident that impacted access to some of its systems,” a letter to impacted individuals explained. It is unclear whether the incident involved ransomware or data exfiltration.
DRH immediately disconnected all systems from external access and implemented incident response protocols when it discovered the incident on January 20, 2022.
Further investigation revealed that patient names, Social Security numbers, treatment information, medical appointment information, and birth dates might have been exposed. In addition, employee W-2 information, including names, birth dates, Social Security numbers, and addresses were potentially impacted.
“DRH took steps to address this incident and to prevent similar incidents in the future, including but not limited to changing all passwords, tightening firewall restrictions, and implementing endpoint threat detection and response monitoring software on workstations and servers,” the letter stated.
Impacted individuals also received credit monitoring services via Experian. The incident has not yet been logged on the Office for Civil Rights (OCR) data breach portal.
OH Mental Health Clinic Suffers Hacking Incident
Mentor, Ohio-based Crossroads Health identified a data security incident on January 18, 2022, that impacted more than 10,300 individuals. Crossroads Health provides mental health treatment and support programs to Lake County, Ohio residents.
An investigation revealed that an unauthorized actor had access to Crossroads’ systems between November 21, 2021, and January 18, 2022. The unauthorized party removed files from a legacy system that impacted former clients from Beacon Health, which previously merged with Crossroads Health.
The impacted files contained names, birth dates, contact information, driver’s license numbers, Social Security numbers, health insurance information, and treatment and diagnosis information.
“We take this incident very seriously and sincerely regrets any concern this may cause,” Crossroads Health said in a statement on its website.
“To help prevent something like this from happening again, we have implemented additional safeguards and technical security measures to further protect and monitor its systems.”
Crossroads also urged impacted individuals to contact relevant providers if they see services they did not receive on their medical bills.
Acacia Network Notifies 30K Data Breach Victims More Than 1 Year Later
The Puerto Rican Organization to Motivate, Enlighten, and Serve Addicts, a New York-based program that falls under Acacia Network, suffered a healthcare data breach that impacted more than 30,000 individuals.
Although Acacia discovered the breach on July 17, 2020, it only began sending breach notification letters on February 22, 2022. HIPAA requires covered entities to notify impacted individuals of a healthcare data breach within 60 days of discovering the incident.
Acacia determined that an unauthorized individual gained access to employee email accounts for six days in June 2020. An investigation was unable to determine whether the individual viewed any emails or attachments.
The accounts contained patient Social Security numbers, medical record numbers, birth dates, driver’s license numbers, addresses, financial account numbers, names, Medicare numbers, provider names, treatment information, and prescription information.
Acacia said it had no evidence that any information had been viewed or misused, but it was unable to rule out the possibility.
“Acacia deeply regrets any inconvenience or concern this incident may cause. Acacia continually evaluates and modifies its practices to enhance the security and privacy of clients’ information,” the notice stated.
“To help prevent something like this from happening in the future, Acacia is reinforcing employee training on privacy and security and is instituting additional security measures.”
Ascension Michigan EHR System Breach Impacted 27K
Ascension Michigan began notifying patients of a data breach that impacted its EHR system and affected 27,177 individuals. On November 30, 2021, Ascension Michigan determined that an unauthorized party had accessed its EHR between October 15, 2015, and September 8, 2021.
The unauthorized party went undetected for more than five years, and the breach was not posted on OCR’s portal until February 2022.
The unauthorized party potentially had access to names, addresses, email addresses, birth dates, phone numbers, health insurance identification numbers and carriers, dates of service, treatment information, diagnosis information, and some Social Security numbers.
“In response to the incident, Ascension Michigan has taken steps to further protect its patient information, including a review of internal controls and further improvement to processes intended to safeguard patient information,” Ascension’s website notice stated.
In an unrelated incident, Ascension Michigan and more than 30 other healthcare organizations fell victim to a business associate breach targeted at technology vendor Ciox Health in June and July 2021.