Staff from the Naval Medical Center Portsmouth Anesthesia Department conduct high-frequency task training. (Navy)

The Department of Health and Human Services breach reporting tool shows at least 10 more anesthesia practices have been added to the “data security incident” at a healthcare management company, first reported in October.

As previously reported, 13 other anesthesiology care sites primarily in the New York region reported similar security incidents first detected in July that resulted in data compromise for a total of 380,104 patients.

With the addition of 55,029 patients tied to multiple Resource Anesthesiology Associates care sites, Somnia Anesthesia Services, Saddlebrook Anesthesia Services, Primary Anesthesia Services, and Mid-Westchester Anesthesia Services, more than 435,000 patients from over 20 anesthesia practices have been affected.

It was initially unclear just what management company was behind the incident. The notice from Somnia Anesthesia Services confirms the incident occurred on its network and sheds further light into what appears to be a systems hack.

Discovered in July, Somnia launched its incident response protocols and disconnected all systems. An investigation was launched with support from an outside cybersecurity firm, which found “some information stored on Somnia’s systems may have been compromised.”

The compromised data impacted both patients and employees and varies by individual, including names, Social Security numbers, dates of birth, driver’s licenses, financial account information, health insurance policy numbers, Medical Record numbers, Medicaid or Medicare IDs, and health information like treatments and diagnoses.

The delay in Somnia’s notice appears to be tied to its efforts to obtain patient addresses. Covered entities were first informed of the incident in September, within the 60-day timeframe required by The Health Insurance Portability and Accountability Act.

Somnia has since issued a global password change, strengthened its firewall restrictions, and deployed endpoint threat detection and response monitoring software on all workstations and servers.

“The management company has assured us that they have taken steps to prevent a similar incident in the future,” the provider notices read.

Third-party health administer server compromise impacts Louisiana corrections

The Louisiana Department of Public Safety and Corrections recently began notifying more than 85,466 pretrial and DOC inmates that their medical data was compromised, due to the inadvertent exposure of two file directories belonging to its third-party health administrator. CorrectCare provides medical claims processing services to the state DPS&C.

The exposure was found and remediated within nine hours. And although just two directories were affected, more than nine years of data was exposed during the incident. The subset of impacted individuals includes those incarcerated and received offsite medical care between Jan. 1, 2013, and July 7, 2022.

The exposure was first discovered on July 6, but the notice does not detail how the incident occurred. The data could include individuals’ names, dates of birth, SSNs, DOC IDs, and some health information, like diagnosis codes and/or CPT codes.

The department’s onsite medical care and electronic health records (EHR) were not affected by the incident, as they’re managed by DPS&C. The state is continuing to work with CorrectCare and its partners to prevent a recurrence.

Baton Rouge General reporting June network hack

General Health System, or Baton Rouge General, began notifying an undisclosed number of patients that their data was compromised after a network hack in June.

The suspicious systems activity was first discovered on June 28, prompting the immediate launch of an investigation. GHS found its network was accessed for five days between June 24 and June 29, which gave a threat actor access to certain directories on the network.

The delayed notification appears to have been caused by “a comprehensive review of the contents of the directories” to determine the data contained within the servers and the impacted patients.

The investigation concluded on Oct. 13, finding the accessed data could include patient names, SSNs, dates of birth, diagnoses, treatments, biometric data, health insurance details, financial account data, driver’s licenses, state ID numbers, patient account numbers, and medical record numbers.

St. Luke’s Health faces breach incident, unrelated to CommonSpirit

A vendor’s “cybersecurity event” has spurred a breach notice from St. Luke’s Health. Adelanto Healthcare Ventures recently informed St. Luke’s that the compromise of two employee email accounts in November 2021 possibly exposed the data of its patients. AHCV is a consulting services vendor for St. Luke’s.

The yearlong-delay was brought on by an update to initial findings, following the Nov. 5, 2021, email hack. Forensics first showed no patient health data was exposed during the incident, but a further review found the data of St. Luke’s patients were exposed. The hospital was first notified in September of this year.

The compromised data could include patient names, contact details, dates of birth, SSNs, dates of service, medical record numbers, Medicaid numbers, and limited clinical data, such as treatments and diagnosis codes.

AHCV has since implemented additional systems security measures, and St. Luke’s Health also conducted a thorough investigation.

The notice comes within the continued outage at St. Luke’s parent company, CommonSpirit. As previously reported, a portion of the health system’s hospitals is continuing to face service disruptions after a cyberattack deployed more than one month ago.

OakBend Medical sheds light on previously reported data theft

In what’s become a model of transparency, OakBend Medical Center has issued yet another notice to 500,000 patients in the wake of its September cyberattack, data exfiltration, and network outage incidents.

From the initial attack and care diversion, the Texas hospital has maintained a high level of communication to patients about the impacts of the event. The impacts of the ransomware attack lasted for several weeks, leading to communication issues, patient fraud attempts, and the theft of patient data. The hospital has since had to rebuild its IT systems.

The latest notice shines further light onto the incident: the hack was first detected the morning of Sept. 1 and the attackers gained access to “various components” of the “computer network,” encrypting some of those platforms. Upon discovery, OakBend worked to remediate the issue and “harden our system against future attacks.”

They quickly confirmed the “cybercriminals had sufficient access to OakBend’s systems to encrypt our data.” The investigation, however, “indicates that a limited amount of data was actually transferred out of the OakBend computing environment.” The forensics suggest that the attackers were unable to remove full medical records from the systems.

Instead, the hackers did access and/or exfiltrate certain employee data sets, as well as some reports containing personal and medical data tied to both current and former patients, employees, and related individuals. The data varied by individual and could include names, contact details, SSNs, and dates of birth.

The “IT team has worked diligently to restore the integrity of our network,” officials stressed. The incident was also reported to law enforcement, and the hospital has been cooperating with the FBI on their investigation. OakBend has since added further security measures to prevent a recurrence.

Patients have also been warned that it’s possible they might “receive spam email messages and/or other fraudulent communications using your contact information.” And were urged to “be cautious when opening links or attachments from unknown third parties.”

Salud Family Health reports data theft, access incident

The data of an undisclosed number of Salud Family Health patients and employees was accessed after the hack of “certain computer systems” on Sept. 5. An investigation into the scope of the incident discovered a threat actor accessed the systems on the day it was discovered and accessed or stole protected health information.

The stolen data contained names, SSNs, driver’s licenses numbers or Colorado identification card numbers, financial account information or credit card numbers, passport numbers, diagnoses, treatments, health insurance details, biometric data, and user credentials. All individuals are being offered free credit monitoring and identity fraud protection services.

Salud Family Health is working to review and bolster its existing policies and procedures tied to data privacy and security, including increased network security measures.

Legacy Post Acute Care reports monthslong email account hack

California-based Legacy Post Acute Care is notifying patients that their personal data was compromised after the hack of multiple employee accounts.

The notice does not explain when the incident was first discovered, just that the “extensive forensic investigation and manual document review” concluded on Sept. 12. Their analysis confirmed multiple email accounts were accessed for more than two months between Jan. 19 and March 3.

The provider worked with an outside cybersecurity firm to investigate the extent of data compromise and confirm the security of the email platform. The lengthy delay in notification appears to have been caused by the “considerable time and effort” of the forensics process.

The notice does not share just what data was compromised during the incident, but all impacted individuals are being offered complimentary credit monitoring.