Feodora - stock.adobe.com

Third-Party Data Breaches, Unauthorized Email Access Cause PHI Exposure

A Massachusetts billing company data breach impacted some Beth Israel clients, and the CO Department of Human Services fell victim to a third-party data breach.

Third-party data breaches, unauthorized email access, and cyberattacks aimed at small outpatient facilities continue to impact the healthcare sector.

Threat actors are increasingly leveraging Ransomware-as-a-Service (RaaS) models, software vulnerability exploits, and double extortion over traditional data encryption, a recent Abnormal Security report found.

Healthcare organizations should remain vigilant and prepare accordingly.

Florida Bone and Joint Specialist Faces Email Data Breach

iRise Florida Spine and Joint Institute began notifying 61,595 individuals of a healthcare data breach stemming from a compromised employee email account.

iRise discovered the breach in November 2021 and determined that the email account had been accessed by an unauthorized individual between February 24 and February 26, 2021. A manual document review and investigation revealed that protected health information may have been accessed.

The email account contained names, birth dates, clinical treatment information, dates of service, health insurance information, and physician and hospital names. In some cases, Social Security numbers, driver’s license numbers, financial account information, and usernames and passwords were also impacted.

Not all iRise clients were impacted by the incident, and the practice said it had no reason to believe that any information had been misused.

“Since the date of this incident, iRise has taken measures to improve its technical safeguards in order to minimize the risk of a similar incident in the future, including implementing additional technical safeguards on its email system, implementing multifactor authentication, and providing additional training to employees to increase awareness of the risks of malicious emails,” the notice stated.

Massachusetts Medical Billing Company Breach Exposes PHI

Boston-based medical billing company Medical Healthcare Solutions (MHS) posted a notice on its website alerting clients to a cyber incident that impacted some protected health information on its network.

MHS said it discovered the incident on November 19, 2021, and later found that an unauthorized party potentially removed files from its network. MHS began sending notification letters on January 21 following an extensive investigation. The breach is not yet listed on the Office for Civil Rights (OCR) data breach portal and it is unclear how many individuals were impacted.

MHS issued the notice on behalf of its clients, including Harvard Medical Faculty Physicians at Beth Israel Deaconess Medical Center and associated physicians.

The impacted information included names, phone numbers, addresses, Social Security numbers, driver’s license numbers, payment card numbers, claim numbers, insurance plan information, provider ID numbers, procedure codes, treatment costs, medical record numbers, and treatment information.

“The privacy and security of the personal information MHS maintains on behalf of its clients is of the utmost importance,” the notice stated.

MHS established a phone line dedicated to questions about the event and is offering impacted individuals 24 free months of credit monitoring and identity protection services.

CO Department of Human Services Impacted by Sound Generations Breach

The Colorado Department of Human Services (CDHS) experienced a potential data breach via third-party vendor Sound Generations. CDHS sent a breach notification to over 6,000 individuals.  

Sound Generations, a nonprofit that provides food security, transportation, and health and wellness services to seniors and disabled adults, experienced two data security incidents that resulted in potential PHI exposure for over 103,000 individuals.

An unauthorized party accessed Sound Generations’ computer systems and encrypted information once on July 18, 2021, and again on September 18, 2021.

CDHS said it had a contract with Sound Generations to store data for its evidence-based fall prevention program, A Matter of Balance.

“After the conclusion of the third party’s forensic investigations, Sound Generations conducted its own investigation and due diligence to identify the affected individuals and the nature of their personal information that may have been compromised,” the CDHS notice stated.

“Sound Generations has determined that some of its client information has been potentially impacted following the incidents. To date, Sound Generations has no reason to believe that there was a misuse of the information pertaining to the potentially impacted individuals. “

The impacted information may have included names, phone numbers, birth dates, addresses, insurance status, and email addresses. CDHS urged impacted individuals to remain vigilant, although it had no evidence that the data had been misused.

Next Steps

Dig Deeper on Healthcare data breaches