Breach, Incident Response

Cyberattack on Norwood Clinic compromises data tied to 228K patients

An October 2021 cyberattack on Norwood Clinic in Alabama was reported to HHS as impacting 228,103 patients. (Photo by Alex Wong/Getty Images)

Alabama-based Norwood Clinic notified 228,103 patients that their data was potentially accessed or acquired after a cyberattack in October 2021.

Upon discovery, the systems were secured and the security team worked to “safely restore its systems and operations.” The notice does not disclose whether the attack was caused by ransomware. The investigation determined the hackers gained access to servers containing patient information during the incident.

Norwood could not confirm the specific information possibly accessed during the hack. As a result, all patients are being notified of the potential impact to their data privacy, “regardless of whether their information was in fact subject to unauthorized access or acquisition.” 

The investigation determined the hackers gained access to folders that contain personal information of patients, including names, contact details, date of birth, Social Security numbers, driver’s licenses, some health information, and/or health insurance policy numbers. All patients will receive free credit monitoring, dark web monitoring, and identity theft protection services.

Norwood has since bolstered its email settings and policies, updated its network security technical hardware, improved password complexity rules, and implemented more secure login mechanisms for all accounts.

Data of 92K DRH Health patients impacted by systems hack

A cyberattack against DRH Health systems in January led to the potential compromise of data tied to 92,398 patients. First detected on Jan. 20, the “suspicious activity” impacted access to some of the Oklahoma provider’s systems and briefly disrupted certain systems.

The incident prompted the launch of incident response protocols, with DRH disconnecting all systems and employing an outside cybersecurity firm to investigate. The analysis found the attack impacted patient data stored outside of the primary electronic medical records system.

The compromised data included Social Security numbers, dates of birth, contact details, treatment information, and appointment information, like dates of service and provider names. All impacted individuals will receive complimentary credit monitoring and identity protection services.

DRH has since conducted a global password reset, tightened firewall restrictions, and implemented endpoint threat detection and response monitoring software on its workstations and servers.

Data of 52K Montrose Regional Health patients impacted by email hack

A brief breach disclosure from Montrose Regional Health in Colorado shows that the data belonging to 52,632 patients was possibly compromised, during a monthslong email hack in 2021. The notice does not explain the gap between discovering the incident and the disclosure, nor when the incident was first discovered.

Montrose Regional discovered “unusual activity in an employee’s email account” and worked with third-party specialists to examine the scope. Their review found a hacker accessed multiple employee email accounts for nearly three months between Aug. 2, 2021, and Oct. 26, 2021.

The investigation could not confirm whether the attacker accessed the information contained in the accounts. The compromised data varied by patient and could include inpatient/outpatient status, internal patient account numbers, service dates, cost of treatments, procedure codes, provider names, and/or health insurance providers.

Montrose Regional has since reset account passwords.

Acacia Network notifies patients of 2020 email hack

Social services provider Acacia Network recently began notifying an undisclosed number of patients that their data was potentially compromised during an email hack, first discovered in July 2020.

On July 17, 2020, Acacia discovered an attacker accessed several employee email accounts between June 6, 2020, and June 12, 2020. A computer forensic firm assisted with the investigation, which could not determine whether or not the data contained in the accounts was accessed.

The compromised accounts contained data from eight programs serviced by Acacia: Bronx Accountable Healthcare Network, Bronx Addiction Services Integrated Concepts System, Community Association of Progressive Dominicans; El Regreso, Greenhope Services for Women, La Casa De Salud, Promesa, and United Bronx Parents.

A review of the data determined the impacted data varied by individual and could include SSNs, driver’s licenses, contact details, dates of birth, financial account numbers, medical record numbers or resident identification numbers, health insurance data, Medicare numbers, provider names, treatments, prescriptions, and diagnostic information.

The notice does not account for the staggering delay in notifying patients. The Health Insurance Portability and Accountability Act requires covered entities to notify patients within 60 days of discovering a breach impacting more than 500 patients. Acacia issued its notice more than a year and a half after discovering the intrusion.

In response to the incident, Acacia is reinforcing privacy and security training for its employees and implementing additional security measures.

Cyberattack on Crossroads Health leads to data theft impacting 10K

Approximately 10,324 patients of Beacon Health, now part of Crossroads Health, were recently notified that their data was stolen ahead of a cyberattack. Crossroads Health is a mental health and recovery support provider in Ohio.

The attack was first discovered on Jan. 18, which disrupted operations for certain IT systems. After securing the systems, Crossroads notified law enforcement and launched an investigation. The analysis determined the hacker first accessed the systems several months earlier between Nov. 21, 2021, to January 18, 2022.

The files were removed from a legacy system prior to the cyberattack. The stolen information belonged to clients of Beacon Health, a former behavioral health facility that previously merged with Crossroads.

The forensic analysis confirmed the stolen files contained Beacon Health client data, including names, SSNs, dates of birth, contact details, driver’s licenses, treatments, diagnoses, and/or health insurance information. Individuals whose SSNs were stolen during the hack will receive free credit monitoring and identity protection services.

Crossroads Health has since added to its safeguards and technical security measures to prevent a recurrence.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.