Natali_Mis/istock via Getty Imag

Atrium Health alerts patients to phishing scheme, data breach

A phishing scheme used against Atrium Health caused one of several healthcare data breaches reported in September.

Atrium Health in North Carolina notified patients of a phishing scheme that resulted in a data breach. Atrium Health, which merged with Advocate Aurora Health in 2022, provides care at more than 1,400 locations.

According to the health system's breach notice, Atrium learned that an unauthorized third party had gained access to some employee email accounts between April 29 and April 30, 2024. The unauthorized party gained access via a phishing scheme in which employees were coaxed into providing access to their login information.

Further investigation determined that the third party "was not focused on email content pertaining to medical or health information," but investigators were unable to determine whether the third party actually viewed emails or attachments in the accounts.

As a precaution, Atrium Health compiled a list of any data types that might have been accessible to the third party, including names, addresses, Social Security numbers, financial information, dates of birth, medical record numbers, diagnoses, health insurance information, access credentials and digital signatures.

"Not all of Atrium Health's patients were impacted, only those whose information happened to be in the files used by the affected employees' accounts. Additionally, our electronic medical record systems are separate from our email accounts and were not affected by this incident," the notice continued.

Atrium Health said it would continue to strengthen its security controls and provide phishing training to its employees.

Lehigh Valley Health Network reaches $65M data breach settlement

Lehigh Valley Health Network (LVHN) reached a $65 million settlement over a February 2023 data breach that exposed nude photographs of patients seeking radiation oncology treatment, as well as other sensitive information. More than 130,000 individuals were affected by the breach.

BlackCat ransomware claimed responsibility for the cyberattack. LVHN's initial breach notice stated that BlackCat had demanded a ransomware payment, but LVHN refused to pay it.

Affected individuals filed a class-action lawsuit alleging that LVHN failed to protect data from unauthorized parties. LVHN did not admit any wrongdoing and chose to settle the lawsuit rather than prolong the litigation.

The $65 million settlement includes multiple relief tiers for breach victims. Tier one consists of $7.15 million that will be paid to all class members, with no payment exceeding $50. Tiers two and three have progressively higher amounts assigned to them, depending on the severity of information breached. Tier four allocates $52 million to class members whose nude images were published on the dark web. These individuals are eligible to receive upwards of $70,000.

2.9M individuals affected by Acadian Ambulance Service data breach

Acadian Ambulance Service notified nearly 2.9 million current and former patients of a data breach that occurred in June 2024. Acadian provides ambulance services in Louisiana, Texas, Tennessee and Mississippi.

On June 21, 2024, Acadian discovered suspicious activity within its network and immediately launched an investigation. The investigation determined that an unauthorized party accessed and took certain files and folders.

The affected data included names, Social Security numbers, medical information, dates of birth and addresses.

Acadian said it would review its security policies and procedures to reduce the likelihood of future security incidents. The ambulance service also said it had notified regulatory authorities of the breach.

Illinois Bone & Joint Institute suffers data breach

Illinois Bone & Joint Institute (IBJI) notified more than 182,000 individuals of a data breach that occurred between May 30 and July 4, 2024. Upon discovery, IBJI launched an investigation and notified law enforcement of the incident.

IBJI determined that an unauthorized party accessed its network and acquired files containing names, addresses, Social Security numbers, medical treatment information, dates of birth and claims information.

"IBJI is committed to maintaining the privacy and security of the information entrusted to it and apologizes for any inconvenience this incident might cause," the notice continued. "IBJI has taken, and is taking, additional steps to help reduce the likelihood of a similar event from happening in the future, including enhancing its technical security measures."

IBJI offered identity theft protection services to individuals whose Social Security numbers might have been involved in the incident.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.

Next Steps

Implementing cyber hygiene best practices in healthcare

Dig Deeper on Healthcare data breaches