A ransomware attack on debt collections firm Professional Finance Company led to 1.9 million patients having their data accessed. (Senior Airman Amanda A. Flower-Raschella/Air Force)

The data of 1.9 million patients tied to 657 healthcare providers was accessed during a “sophisticated” ransomware attack on debt collections firm Professional Finance Company in February.

Despite the major impact, it’s still just the third biggest healthcare data breach reported in 2022. Given the impact of the Eye Care Leaders is continuing to be reported, it remains the largest healthcare incident with well over 2.8 million impacted patients from fewer than 45 providers. The Shields Health Care Group hack is the second largest, affecting 2 million patients.

The PFC notice stems from a security incident detected and stopped by the vendor on Feb. 26. During the attack, the actor accessed and disabled some computer systems. In response, PFC contracted with a forensic specialist to help with securing and investigating the incident.

The subsequent investigation revealed that the attacker possibly accessed patient names, contact information, accounts receivable balances, account payment information, dates of birth, Social Security numbers, health insurance information, and medical treatments.

PFC began notifying the impacted providers beginning on May 5, which includes an extensive list of dental providers, dermatologists, family care facilities, anesthesiologists, and a host of other covered entities.

In response to the attack, PFC wiped and rebuilt the impacted systems and bolstered its network security. The vendor has since reviewed its policies and procedures for its network security, as well as how its stored and managed.

242K patients, 5 more providers added to Eye Care Leaders breach

At least another five more covered entities and 241,553 patients were added to the ongoing tally of individuals affected by the December 2021 ransomware attack Eye Care Leaders, a tech and cloud electronic medical record vendor for the healthcare sector.

Carolina Eyecare Physicians reported 68,739 affected patients were included, along with 13,412 individuals tied to Kernersville Eye Surgeons, 92,361 from Mattax Neu Prater Eye Center, 26,000 from Alabama Eye & Cataract, and 41,041 from Center for Sight in Massachusetts.

The additional patients bring the overall total of those affected to 2.89 million.

As reported over the last few months, a ransomware attack struck ECL’s myCare Integrity EMR platform and its data on Dec. 4, 2021, and deleted databases and system configuration files in the process. Some of the client notifications show the incident caused a week of EMR downtime for certain providers.

The investigation did not conclude until April 19, which could explain why providers were not notified until April or May that the incident occurred. The investigation failed to provide the necessary forensic evidence to rule out the possibility that protected health information or personally identifiable information was accessed by the hacker.

The impacted data could include patient names, contact information, dates of birth, diagnostic details, and health insurance information.

Other provider notices revealed that before the hack ECL implemented layers of encryption for its data but failed to “encrypt the patient information itself.” ECL has since “assured” clients it would encrypt patient information moving forward.

In response, a number of clients are currently evaluating their contracts with the vendor, while others have canceled their partnership with ECL altogether.

ECL is currently defending itself against a provider-led lawsuit that accuses the vendor of concealing multiple ransomware attacks in April, June, and August, as well as weeks-long outages from its clients. The court docket shows the parties are currently assessing the possibility of a settlement.

Family Practice Center notifying patients of October 2021 breach

Pennsylvania-based Family Practice Center is just now notifying 83,969 patients that their data was accessed during an attempted cyberattack in October 2021. The attempt was not successful, and FPC was able to continue treating patients during the incident.

The notice explains the delayed notice was caused by a lengthy investigation that concluded on May 21, 2022. However, The Health Insurance Portability and Accountability Act requires all data breaches impacting more than 500 patients to be reported within 60 days of discovery, not at the close of an investigation.

FPC’s investigation confirmed that the attacker accessed files during the hack, which included patient data, such as names, contact details, medical insurance information, treatments, and other health information. Social Security numbers were also involved for a subset of patients.

Patient medical records were not impacted by the cyberattack. FPC has since contracted with an outside cybersecurity firm to bolster its security and prevent a recurrence.

MAIC hack, data theft impacts 144K

More than 144,000 Michigan Avenue Immediate Care patients were recently notified that their data was stolen during a network hack in May.

MAIC first discovered the incident on May 1, which was quickly contained. An investigation led with support from a forensic security firm found the stolen files contained personal information that varied by patient, including SSNs, contact information, dates of birth, driver’s license  numbers, treatments, and health insurance information.

The notice does not provide further details into how the attacker gained access, nor when the access first began.

Third-party administrator’s ransomware attack impacts 131K patients

A ransomware attack on Carolina Behavioral Health Alliance led to the unauthorized access of data tied to 130,922 patients who received services at LiveWELL Health Plan, as well as Wake Forest University Baptist Medical Center and WFU Health. CBHA is a third-party administrator that manages medical benefits for clients’ health plan participants.

The security incident was first detected on March 20, prompting an investigation into the scope. Officials said they determined a threat actor accessed and disabled a number of CBHA computer systems during the attack.

CBHA worked with an outside forensic firm to assist with securing the network and assessing the extent of the hack, finding that the attacker likely accessed patient health data between March 19 and March 20. The compromised data included names, dates of birth, SSNs, contact information, dates of service, provider names, and health plan identification numbers.

All impacted patients will receive access to free credit monitoring and identity theft protection services. CBHA has since wiped and rebuilt the affected systems, bolstered its network security, and improved its system and server security policies, procedures and software.

WellDyneRX email hack impacts 38,401 patients

About 38,400 patients tied to WellDyneRx were recently notified that their data was possibly compromised during a weeks-long email hack beginning on Oct. 30, 2021. A reminder that HIPAA requires breach notices to be sent within 60 days of discovery and without undue delay.

WellDyne provides individuals with pharmacy benefit-related services. On Dec. 2, 2021, the security team discovered suspicious activity within an email account and launched an investigation with support from an outside forensic investigator. The team determined the account was accessed between Oct. 30, 2021, and Nov. 11, 2021.

The investigation could not conclusively rule out access or theft of the data contained in the account. Upon discovering the potential reach, WellDyne launched a “comprehensive and time-consuming programmatic and manual review” of the account’s content to verify the patient tied to the impacted data, which concluded in March.

The compromised data varied by patient and could include names, SSNs, dates of birth, driver’s license numbers, treatments, health insurance information, contact details, prescriptions, and other medical/health information.

Charlotte Radiology informs patients of breach, 6 months later

More than six months after discovering a security incident, Charlotte Radiology has notified an undisclosed number of patients that their data was stolen during a week-long systems’ hack.

On Christmas Eve 2021, a security incident hit certain systems containing patient information. The security team launched its incident response process, notified law enforcement, and launched an investigation with help from an outside forensic firm. Officials said they were able to contain the incident and “resume serving patients” within days.

The subsequent investigation revealed the hacker first gained access to the network on Dec. 17, a week before it was discovered. During the dwell time, the actor stole copies of “some of the documents” stored on its systems.

The stolen documents varied by patient and could include contact information, dates of birth, health insurance details, medical record numbers, patient account numbers, provider names, dates of service, diagnoses, and treatment information tied to radiology services. SSNs were contained in a “very limited number” of the stolen documents.

Charlotte Radiology is continuing to enhance its information security, systems, and monitoring capabilities.