Pramote Lertnitivanit/istock via

Kaiser Permanente reports email data breach

Recent healthcare cybersecurity incidents include an email data breach that affected Kaiser Permanente and a ransomware attack against a small rural healthcare provider.

Kaiser Permanente notified its members and patients in Southern California of an email data breach that occurred in September 2024. The organization's data breach filing has not yet appeared in the HHS Office for Civil Rights' data breach portal.

According to a notice posted to Kaiser Permanente's website, the organization discovered that an unauthorized party gained access to two employee email accounts on Sept. 3, 2024. Upon discovery, Kaiser Permanente immediately terminated the access and launched an investigation.

Further investigation determined that protected health information (PHI) was included in the breach. The PHI that was potentially accessed or viewed included names, medical record numbers, dates of birth and medical information.

"We take the privacy of our patients very seriously. After discovering the event, we quickly took steps to terminate the unauthorized party's access to the workforce members' emails. This included resetting the workforce members' email account password," the notice stated.

"Kaiser Permanente is taking appropriate steps to prevent this type of incident from recurring including, but not limited to, strengthening internal practices and controls."

Kaiser Permanente said it was not aware of any misuse of the information involved in the breach.

Rural Georgia healthcare facility suffers ransomware attack

Memorial Hospital and Manor, a small rural hospital and nursing home in Bainbridge, Ga., notified patients of a ransomware attack via a Nov. 3, 2024 post on Facebook.

The organization said that the ransomware attack was affecting its EHR system and began on the morning of Nov. 2, 2024, when employees received notifications from the organization's virus protection software about potential risks.

"Once we learned about the incident, we immediately initiated an internal investigation and are working toward a solution. We are currently evaluating our options for restoration and recovery at this time," Memorial Hospital and Manor stated.

"Please bear with us as you may experience longer wait times when you come to either the hospital or physician offices as we are working on a paper based process."

As previously reported, rural healthcare cybersecurity remains a significant challenge for the sector amid workforce shortages and budget constraints.

Mystic Valley Elder Services reports 85K-record data breach

Mystic Valley Elder Services (MVES), a nonprofit organization based in Malden, Mass., notified more than 85,000 individuals of a data breach. The organization offers home-based and community-based care to seniors.

MVES said that it discovered unauthorized access to certain systems on Apr. 5, 2024, and launched an investigation alongside law enforcement.

The investigation determined that the unauthorized third party potentially acquired files contained on MVES' systems. On July 11, 2024, MVES concluded its investigation and found that the files contained names, passport numbers, taxpayer identification numbers, financial information, dates of birth, online credentials, Social Security numbers, driver's license numbers, health insurance information and medical information.

MVES notified the affected individuals and encouraged those involved to take advantage of complimentary identity theft protection services.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.

Next Steps

U.S. calls out Russia for enabling healthcare cyberattacks

Mitigating risk as healthcare supply chain attacks prevail 

Dig Deeper on Healthcare data breaches