Getty Images/iStockphoto

American Medical Tech Reports 2019 Email Hack Impacting 47K Patients

American Medical Technologies is just now reporting a breach discovered in 2019 impacting more than 47,000 patients; ransomware attacks, email hacks, and a COVID-19 dashboard incident complete this week’s breach roundup.

California-based American Medical Technologies (AMT), a healthcare supplier, recently began notifying 47,767 patients that their data was potentially breached after a hack of an employee email account in 2019. 

On December 17, 2019, AMT officials first detected suspicious behavior occurring within one employee email account. An investigation was launched with assistance from a third-party forensics team, which included a data mining process. 

Five months later, the investigation revealed personal information was potentially accessible to the attacker during the security incident. AMT will provide impacted patients with free credit monitoring services. 

The notification did not detail just what patient information was contained in the impacted account. But it’s important to note that under HIPAA, covered entities have just 60 days from the time of breach discovery to report incidents impacting over 500 patients. 

AMT has since reviewed the security of its email systems with assistance from two information security vendors and made improvements based on those recommendations. The vendor has also implemented security improvements to its web server infrastructure.

Missouri County Health Center Investigates COVID-19 Dashboard Leak 

Clay County Health Center in Missouri is investigating a reported data leak from its COVID-19 dashboard, after some patients claimed to have been able to access a spreadsheet containing personally identifiable information, including positive COVID-19 cases, according to local news outlet ABC KMBC 9 News

An individual sent the news team an apparent screenshot of the dashboard, which showed 44 alleged entries from the screenshot, including names, contact information, ages, and ethnicities, as well as confirmed cases of COVID-19. 

About one-third of those entries appeared to be from the Pleasant Valley Manor Care Center, which has a known COVID-19 outbreak. 

“Clay County Public Health Center takes any potential violation of HIPAA very seriously,” Clay County Public Health Center spokeswoman Kelsey Net, said in a statement. “When we learned there was the possibility of a problem existing, we immediately disabled access to the dashboard.” 

“Some sections of information that were previously available have been removed from the dashboard until the situation can be fully investigated,” she added. “We’re following HIPAA standards and currently have our HIPAA Privacy Officer and HIPAA Security Officer thoroughly investigating the matter." 

It’s currently unknown how long the site issue occurred, or when it began.  

Choice Health Management Reports Breach From 2019 

Choice Health Management Services in North Carolina is just now notifying an undisclosed number of patients, employees, and other associated third parties that their personal and health information was potentially breached after a hack on several employee email accounts in 2019. 

According to the notice, officials first discovered suspicious activity in certain employee email accounts sometime in late 2019. Upon discovery, the account access was blocked, and user credentials were changed. 

On January 17, 2020, the investigation confirmed a hacker accessed those accounts, but could not determine just what emails and attachments were subjected to the unauthorized access. 

A review was then launched with help from a third-party team to determine the information contained in the compromised accounts, which concluded on March 27 that the impacted accounts indeed held personal health information. 

“However, since the vendor was unable to link a large number of the individuals to the facility where the individuals sought treatment, Choice Health Management Services began a review of its internal records to determine this information so notice could be provided to the appropriate facility,” officials said in a statement. 

“On May 12, 2020, Choice Health Management Services completed its internal review and determined which individuals received care from a facility associated with Choice Health Management Services.  On April 16, 2020 and again on May 22, 2020, Choice Health Management Services notified facilities about the event and requested permission to provide patients and residents with notice, which was subsequently granted.” 

Officials were able to determine the potentially compromised data varied by patient and could include names, Social Security numbers, driver’s licenses, passport numbers, credit cards, financial information, employer identification numbers, email addresses and credentials, diagnostic or treatment information, dates of service, providers, patient numbers, surgical information, and other sensitive data. 

On June 23, Choice Health began notifying patients of the potential data breach. Officials said they’ve since rebuilt the impacted computer to eradicate a potential virus or malware, as well as reviewed the privacy policies and procedures and implemented additional security safeguards. 

Ransomware Attack Hits Florida Orthopaedic Institute 

About 640,000 of patients are being notified by the Florida Orthopaedic Institute (FOI) of a potential patient data breach, after a recent ransomware attack. 

First discovered on or about April 9, the ransomware encrypted the data stored on the servers of FOI. The system was quickly secured, as officials worked to restore the impacted data and investigate with help from a third-party forensics investigator. 

The investigation concluded on May 6 that patient data was potentially exfiltrated or accessed during the cyberattack. The impacted data varied by patients and could include names, contact details, Social Security numbers, dates of birth, insurance plan identification numbers, claims addresses, FOI claims histories, diagnosis codes, payer identification numbers, payment amounts, and physician locations. 

All affected patients will receive free identity monitoring. 

CHI St. Luke’s Health Memorial Lufkin Email Hack

A hack of several employee email accounts at CHI St. Luke’s Health Memorial Lufkin potentially compromised some patient information. 

The potential compromise was uncovered during an investigation into a security event involving one of the provider’s servers on March 25. Officials said they reset passwords across the enterprise and launched an internal investigation with its threat management team and outside vendors. 

The affected data included patient names, diagnoses, dates of service, and facility account numbers. The investigation did not find evidence to confirm the data was viewed or obtained during the hack, which occurred on April 23. 

“The investigation included engaging forensic experts, interviewing employees, reviewing data and access logs, conducting threat intelligence analysis, and reviewing various data file types in order to determine what, if anything, had happened,” officials said in a statement. 

“The patients’ electronic health records were not involved,” they added. “CHI St. Luke’s Health-Memorial Lufkin has taken steps to confirm that its network remains secure, and it is continuing to work with law enforcement and forensic experts.” 

CHI St. Luke’s has since replaced and upgraded its hardware, made software changes, and improved processes for accessing the network.

Next Steps

Dig Deeper on Healthcare data breaches