kras99 - stock.adobe.com

FBI Finds Data of 79K Gore Medical Patients from 2017 Data Theft

The FBI notified Gore Medical that it found the data belonging to 79,100 patients from 2017 on a third-party computer; a COVID-19 data leak and two email hacks complete this week’s breach roundup.

Georgia-based Gore Medical Management, doing business as Family Medical Center, recently notified 79,100 patients that the FBI discovered some of their data on a third-party computer.

The FBI alerted Gore Medical to the data theft in November 2020, which included personal information of some patients. A review found that several of its practices were victims of a data breach by an unknown attacker in 2017.

The compromised data was limited to patient names, dates of birth, contact information, and Social Security numbers. The stolen files did not include healthcare or financial records. All impacted patients will receive a year of free credit monitoring and identity theft protection.

Gore Medical’s investigation into the incident concluded that the hacker did not access its medical records system. Instead, the hacker gained a foothold onto the network through an undisclosed pathway, which the security team found and eliminated during a routine checkup following the breach.

Pitkin County, Colorado COVID-19 Data Leak

An undisclosed number of individuals from Pitkin County, Colorado are being notified that their data tied to COVID-19 and related contract tracing was potentially exposed for more than two months, due to a misconfigured database.

Officials first became aware of the incident on December 14, when unauthorized access was detected on an online file containing information related to COVID-19 case investigations and or contact tracing.

Upon discovery, the IT team took steps to remediate the error and close off access from the internet.

The subsequent investigation found the data was accidently accessible via the internet between October 1, 2020, and December 14, 2020, when it was discovered. Officials determined the database was subject to unauthorized access.

The compromised data included names, contact information, dates of birth, employer names, names of schools or childcare facilities, underlying health conditions, test type, symptoms, onset data, flu vaccination status, and unique IDs. SSNs and financial data were not impacted.

All individuals will receive free credit monitoring and identity restoration services.

“This incident is unrelated to Pitkin County’s contract tracers or their procedures to support an effective disease control strategy and keep our community safer through this pandemic,” officials explained. “Pitkin County continues to review existing policies and procedures to maximize information security.”

Covenant HealthCare Email Hack Impacts 45K Patients

The hack of two employee email accounts at Covenant HealthCare in early 2020, led to a data compromise impacting about 45,000 patients.

The attackers first gained access to the accounts in May 2020. The notice does not detail when the provider first discovered the incident but that its document review ended in December 2020. Under HIPAA, providers are required to report breaches within 60 days of discovery and without reasonable delay.

The investigation was led with assistance from a third-party cybersecurity team, which determined the accounts contained patient names, driver’s licenses, SSNs, health insurance details, patient account numbers, diagnoses and treatments, dates of birth, contact details, and other personally identifiable information.

Fisher-Titus Medical Center Reports Monthslong Email Hack

A hacker gained access to an employee email account at Fisher-Titus Medical Center, potentially compromising the data of an undisclosed number of patients, according to local news outlet The Sandusky Register.

The notice did not provide details on how many patients were affected, nor how and when the breach was discovered. The investigation into the incident concluded on January 13.

The investigation determined the hack lasted for about three months between August and October 2020. The account contained patient names, SSNs, insurance information, dates of birth, clinical information, diagnoses, and credit card data.

Fisher-Titus has offered impacted patients a year of free credit monitoring services. Officials said they’ve since implemented stricter password and email retention guidelines and bolstered antivirus, firewalls, and monitoring software. A new anti-phishing platform was also installed.

Next Steps

Dig Deeper on Healthcare data breaches