Gorodenkoff - stock.adobe.com

3 Indiana Clinics Suffer Healthcare Data Breaches

Other recent breaches include a health plan data breach at a trucking company, a PHI breach at a MN medical center, and a phishing attack on a TX epilepsy foundation.

Three Indiana healthcare providers suffered unrelated healthcare data breaches recently, again signaling an increase in cyberattacks and data breaches across the nation.

Eskenazi Health in Indiana confirmed on October 1 that bad actors stole and posted patient information on the dark web. A previous notice in August had alerted patients and employees to the cyberattack, but at that time it was unclear whether any information was misused.

Impacted information included Social Security numbers, names, addresses, passport numbers, credit card numbers, and other financial and medical information.

Johnson Memorial Health, which serves patients across Johnson County, Indiana, also announced that it fell victim to a cyberattack on October 2 that disabled its entire network. The FBI is investigating the attack and the systems remain down.

Cyberattack Impacts Operations at Indiana Medical Center

Also in Indiana, Schneck Medical Center discovered on September 29 that it fell victim to cyberattack. Schneck notified patients the same day and disclosed that the attack had disrupted organizational operations. Access to all IT applications within the facility was suspended, and Schneck engaged a third-party investigator to look into the incident.

“These types of situations take time to fully resolve,” Schneck Medical Center explained.

“We are working with IT security experts to methodically investigate the situation, are in the process of notifying law enforcement, and are taking appropriate actions to safely and quickly resolve any disruption to our systems.”

The medical center assured that most services were unaffected. Patients should still arrive at scheduled appointments unless otherwise notified.

“As a team of dedicated and caring medical professionals, we understand that healthcare is about people taking care of people,” the announcement continued.

“We remain committed to continuing to provide exceptional care to our communities and will provide additional updates as appropriate.”

TX Epilepsy Foundation Notifies Patients of phishing attack

Epilepsy Foundation of Texas (EFTX) notified an unknown number of individuals about a healthcare phishing attack that occurred in early June.

EFTX discovered that fraudulent emails were being sent from an employee email account. After engaging with IT professionals, the foundation determined that it was the victim of a phishing attack.

Breached personal information included names, birth dates, driver’s license numbers, medical information, financial account numbers, biometric data, Social Security numbers, and usernames and passwords.

“EFTX takes the security of personal information very seriously. Since discovering this incident, EFTX reviewed and supplemented security protocols,” the statement explained.

EFTX said it has no evidence that any information was misused, but the foundation encouraged impacted individuals to remain vigilant against incidents of identity theft.

Trucking Company Faces Employee Health Plan Data Breach

Illinois-based trucking company Navistar notified 49,000 current and former employees as well as health plan participants of a data breach that potentially exposed protected health information (PHI).

Navistar discovered the security incident on May 20 and immediately launched an investigation in accordance with its cybersecurity response plan. The investigation revealed that the incident likely occurred prior to May 20, though the company did not provide a specific date.

On May 31, Navistar received a notification from an unauthorized third party that data had been stolen from its IT systems. In early June, Navistar filed an 8-K with the US Securities and Exchange Commission (SEC).

On August 20, Navistar discovered that the threat actors had accessed and stolen data containing the names, addresses, birth dates, Social Security numbers, and health plan information of some participants of the Navistar, Inc. Health Plan or the Navistar, Inc. Retiree Health Benefit and Life Insurance Plan.

“Navistar is committed to systems security and the protection of its corporate, customer, dealer, current and former employee, and plan participant information,” the trucking company stated.

“The company has taken a number of steps to enhance its security protocols and controls, technology, and training, and continues to assess additional options to protect its IT systems. Navistar takes the security of its systems and data very seriously and regrets any concern this situation may have caused.”

Minnesota Medical Center Suffers PHI Breach

OSF HealthCare in Minnesota began mailing letters to patients of OSF St. Paul Medical Center and OSF HealthCare Little Company of Mary Medical Center whose information may have been exposed via a healthcare data breach.

The health system discovered the incident on April 23 and said that it immediately took steps to secure its systems. The incident disrupted the health system’s IT operations for an undisclosed period of time. Further investigation revealed that an unauthorized party gained access to OSF HealthCare’s systems from March 7 to April 23.

By August 24, the health system determined that patient names, birth dates, Social Security numbers, physician names, treatment and diagnosis codes, health insurance information, and driver’s license numbers were exposed. For a small subset of patients, financial account information was also exposed.

We take this incident very seriously and sincerely regret any concern this may cause,” OSF HealthCare explained.

“To help prevent something like this from happening again, we have implemented additional safeguards and technical security measures to further protect and monitor our systems.”

OSF will provide free credit monitoring and identity protection services to the individuals whose Social Security numbers or driver’s license numbers were breached.

Next Steps

Dig Deeper on Healthcare data breaches