Trillium, SIU Medicine Added to Tally of Accellion FTA Breach Victims

Sandhills Medical Data Impacted by Vendor Ransomware Attack

Sandhills Medical Foundation is notifying an undisclosed number of patients that their data was stolen prior to a ransomware attack on its third-party vendor, which provides Sandhills with electronic data storage for some of its scheduling, billing, and reporting systems.

The vendor first notified Sandhills of the ransomware attack on January 8, which impacted the provider’s systems and the stored data. The vendor’s investigation determined the hackers used compromised credentials to access the system on September 23, 2020.

Access to Sandhills’ system began on November 15, and the hackers exfiltrated Sandhills’ data prior to the ransomware deployment on December 3.

The stolen data included patient names, SSNs, dates of birth, contact information, driver’s licenses, and claims data that could be used to determine patient diagnoses and conditions. Patient medical records, lab results, medications, credit cards, and bank account details were not impacted.

The vendor paid the hackers’ ransom demand to return the stolen data and “received assurances that the data was deleted or destroyed. However, reports show that it’s getting difficult to trust these assurances, as hackers may falsify this information.

The vendor has since bolstered its security measures. Sandhills reported the breach to the Office for Civil Rights, state regulatory agencies, and the national credit reporting agencies.

The notice bears similarities and timeframes to the Netgain ransomware attack, which impacted individuals from Ramsey County, Minnesota and Woodcreek Provider Services.

New London Hospital Reports Breach From July 2020

About 34,878 patients of New London Hospital in New Hampshire are being notified their data was potentially compromised by a breach that occurred more than six months ago in July 2020.

It’s unclear when the security incident was first discovered, but the notice explained that an unauthorized party gained access to a file on the NLH network “for a short period of time” on July 30, 2020.

The investigation concluded on February 16, which confirmed the compromised file contained patient information, such as names, demographic details, and SSNs. The file did not include diagnoses, treatments, medications, or hospitalization information.

Under HIPAA, healthcare entities are required to report breaches of protected health information within 60 days of discovery -- not at the close of an investigation.

The breached network system is no longer in use at the hospital. The notice provides scarce details on just how the intruder broke into the network and just how long the unauthorized access occurred.

ProPath Reports Employee Email Hack

The hack of two employee email accounts belonging to ProPath led to the compromise of some patient data for more than four months in 2020.

The impacted accounts were secured and mandatory password resets were enforced, upon discovery. The notice does not disclose when the hack was first discovered, just that the investigation determined the extent of the hack on January 28, 2021.

An investigation, led with assistance from a third-party cybersecurity team, found the accounts contained both personal data and protected health information of patients who received laboratory or pathology testing services from ProPath.

This data could include names, dates of birth, test orders, diagnoses, clinical treatments, medical procedures, and provider names. A limited number of SSNs, financial account information, driver’s license numbers, health insurance details, and passports were also compromised. Patients whose SSNs were exposed will receive free credit monitoring.

ProPath has since bolstered its technical safeguards, including implementing further security measures on its email system and strengthening its email security training with employees.

Email Hack Impacts Saint Agnes, Saint Alphonsus Hospitals

California-based Saint Agnes Medical Center, a member of Trinity Health, and its sister health system, Saint Alphonsus Health System in Idaho, were recently impacted by an email hack, which potentially breached the data of an undisclosed number of patients.

On February 5, Saint Agnes was notified by Saint Alphonsus of an employee email compromise, which led to the account sending phishing emails between January 4 and 6. The hacker was attempting to obtain login credentials.

It first appeared that the incident only impacted Saint Alphonsus. But the investigation later determined some of the compromised data belonged to Saint Agnes. Saint Alphonsus handles the billing for the hospital’s western region.

The hack was discovered on January 6, and the account was quickly secured.

A review of the account determined some patient information may have been accessible during the incident, including names, dates of birth, contact details, email, and medical information, such as treatments, billing data, and record numbers. All patients will receive a year of free credit monitoring.

65K Patients Impacted By Insider Wrongdoing at Humana

Humana is notifying 65,000 individuals of an insider wrongdoing incident at one of its vendors, which led to the exposure of their personal and health information. The vendor, Cotiviti, supports Humana with medical records requests to verify data reported to CMS.

Cotiviti uses a subcontractor to review collected medical records. The incident was caused by a subcontractor’s employee, who inappropriately disclosed patient data to unapproved individuals for unauthorized training purposes between October 12 and December 16, 2020.

The information included patient names, dates of birth, SSNs, contact information, insurance identification numbers, dates of service, medical records numbers, treatment information, and medical images.

Upon discovery, the employee’s access to the medical records was disabled. The employee is no longer employed by the subcontractor. Cotiviti and the subcontractor have since implemented a “broad strategy” to prevent further unauthorized disclosure of information.

Humana was notified of the incident on December 22. The notice does not explain the reason for delayed reporting. The insurer worked with Cotiviti to ensure it bolstered protections and security of personal information, while reviewing the physical and technical safeguards of Cotiviti and its subcontractor.